6.14.8
BUG FIXES
npm install --dev deprecation message
remove unused broken require
Do not send user secret in the referer header
DOCUMENTATION
docs: add missing metadata in semver page
Node-gyp supports both Python and legacy Python
DEPENDENCIES
update-notifier@2.5.0
npm-registry-fetch@4.0.7
meant@1.0.2
6.14.2:
DOCUMENTATION
chore(docs): update unpublish docs & policy reference
DEPENDENCIES
hosted-git-info@2.8.8
fix: regression in old node versions w/ respect to url.URL implmentation
npm-profile@4.0.4
fix: treat non-http/https login urls as invalid
glob@7.1.6
node-gyp@5.1.0
6.14.1:
hosted-git-info@2.8.7 Fixes a regression where scp-style git urls are passed to the WhatWG URL parser, which does not handle them properly.
6.14.0:
FEATURES
add support for multiple funding sources
BUG FIXES
fix: check npm.config before accessing its members
fix: access grant with unscoped packages
fix: allow new major versions of node to be automatically considered "supported"
DEPENDENCIES
hosted-git-info@2.8.6
fix: passwords & usernames are escaped properly in git deps
chownr@1.1.4
npm-packlist@1.4.8
npm-registry-fetch@4.0.3
fix: always bypass cache when ?write=true
readable-stream@3.6.0
fix: babel's "loose mode" class transform enbrittles BufferList
DOCUMENTATION
update lifecycle hooks docs
fix: trademarks typo
fix: postinstall example
fix: bad links in publish docs
MISCELLANEOUS
add script to update dist-tags
6.13.6:
DEPENDENCIES
pacote@9.5.12:
* fix(git): Do not drop uid/gid when executing in root-owned directory
6.13.5:
BUG FIXES
Fix cache location for npm ci
fix(version): using 'allow-same-version', git commit --allow-empty and git tag -f
TESTING
test(ci): add failing cache config test
test: fix bin-overwriting test on Windows
ci: Allow builds to run even if one fails
Remove the unused appveyor.yml
ci: switch to actions/checkout@v2
DOCUMENTATION
fix netlify publish path config
update gatsby dependencies
docs: clarify usage of global prefix
6.13.4:
BUGFIXES
Do not remove global bin/man links inappropriately
DEPENDENCIES
gentle-fs@2.3.0
bin-links@1.1.6
6.13.3:
DEPENDENCIES
bin-links@1.1.5 Properly normalize, sanitize, and verify bin entries in package.json.
npm-packlist@1.4.7
pacote@9.5.11
fix: Do not drop perms in git when not root
sanitize and normalize package bin field
read-package-json@2.1.1
6.13.2:
BUG FIXES
* fix docs target typo
* fix(packageRelativePath): fix 'where' for file deps
* Revert "windows: Add preliminary WSL support for npm and npx"
* remove unnecessary package.json read when reading shrinkwrap
* fix(fund): open url for string shorthand
* Don't log error message if git tagging is disabled
* Warn the user that it is uninstalling npm-install
v6.13.1:
fix(fund): support funding string shorthand
should not publish tap-snapshot folder
Add preliminary WSL support for npm and npx
print quick audit report for human output
v6.13.0:
add fund command
delete ps1 files on package removal
update supported node list to remove v6.0, v6.1, v9.0 - v9.2
v6.12.1:
add node v13 as a supported version
Fix regression in lockfile repair for sub-deps
resolve circular dependency in pack.js
v6.12.0:
Now npm ci runs prepare scripts for git dependencies, and respects the --no-optional argument. Warnings for engine mismatches are printed again. Various other fixes and cleanups.
v6.10.3:
BUGFIXES
vulns → vulnerabilities in npm audit output
install, doctor: don't crash if registry unset
Handle unhandledRejections, tell user what to do when encountering an EACCES error in the cache.
v6.10.2:
tl;dr - Fixes several issues with the cache when npm is run as sudo on Unix systems.
TESTING
check test cache for root-owned files
run sudo tests on Travis-CI
set --no-esm tap flag
add script to run tests and leave fixtures for inspection and debugging
BUGFIXES
add a util for writing arbitrary files to cache This prevents metrics timing and debug logs from becoming root-owned.
infer cache owner from parent dir in correct-mkdir util
ensure correct owner on cached all-packages metadata
report server error on failure
Fix npm ci with file: dependencies.
v6.9.2
This release is identical to v6.9.1, but we had to publish a new version due to a .git directory in the release.
v6.9.1
BUGFIXES
Update knownBroken version.
Fix outdated rendering for global dependencies.
Fix OTP for token create and remove.
DEPENDENCIES
sha@3.0.0
query-string@6.4.0
readable-stream@3.2.0
tacks@1.3.0
tap@12.6.0
tar-stream@2.0.1
6.9.0:
FEATURES
* Time traveling installs using the --before flag.
* Add support for package aliases. This allows packages to be installed under a
different directory than the package name listed in package.json, and adds a
new dependency type to allow this to be done for registry dependencies.
* Always save package-lock.json when using --package-lock-only.
* Make empty-string run-scripts run successfully as a no-op.
* Match git semver ranges when flattening the tree.
* Re-enable updating local packages.
BUGFIXES
* Set modified to undefined in npm view when time is not available. This
fixes a bug where npm view would crash on certain third-party registries.
* Print out tar version in install.sh only when the flag is supported not all
the tar implementations support --version flag. This allows the install script
to work in OpenBSD, for example.
* Fix typo in error message for npm stars.
* Strip version info from pkg on E404. This improves the error messaging format.
DOCS
* Add npm add as alias to npm install in docs.
* Fix link to RFC 10 in the changelog.
* Describe exit codes in npm-audit docs.
v6.8.0:
This release includes an implementation of [RFC 10], documenting an optional field that can be used to specify
the directory path for a package within a monorepo.
NEW FEATURES
* Update package.json docs to include repository.directory details.
BUGFIXES
* Add @types to ignore list to fix git clean -fd.
* Fix common.npm callback arguments.
* Show installed but unmet peer deps.
* Use figgy-config to make sure extra opts are there.
* Fix ls-collaborators access error for non-scoped case.
* Fix issue with sub-folder local references.
DEPENDENCY BUMPS
* npm-registry-couchapp@2.7.1
* npm-registry-fetch@3.9.0:
* Make sure publishing with legacy username:password _auth works again.
* pacote@9.4.1
* normalize-package-data@2.5.0
* npm-packlist@1.3.0
* read-package-tree@5.2.2
MISC
* Use const in lib/fetch-package-metadata.md.
* Replace ronn with marked-man in .npmignore.
* Reduce work to test if executable ends with a 'g'.
v6.7.0:
Hey y'all! This is a quick hotfix release that includes some important fixes to npm@6.6.0 related to the large rewrite/refactor. We're tagging it as a feature release because the changes involve some minor new features, and semver is semver, but there's nothing major here.
NEW FEATURES
Improve usage errors to npm org commands and add optional filtering to npm org ls subcommand.
BUGFIXES
Fix default usage printout for npm org so you actually see how it's supposed to be used.
fix default usage message for npm hook
DOCS
Add manpage for npm org command.
DEPENDENCY BUMPS
Fall back to "fullfat" packuments on ETARGET errors. This will make it so that, when a package is published but the corgi follower hasn't caught up, users can still install a freshly-published package.
Fixes auth error for username/password legacy authentication.
Fixes issue with "cannot run in wd" errors for run-scripts.
Fixes issues with leaking signal-exit instances and file descriptors.
v6.6.0
REFACTORING OUT npm-REGISTRY-CLIENT
Today is an auspicious day! This release marks the end of a massive internal refactor to npm that means we finally got rid of the legacy npm-registry-client in favor of the shiny, new, window.fetch-like npm-registry-fetch.
Now, the installer had already done most of this work with the release of npm@5, but it turns out every other command still used the legacy client. This release updates all of those commands to use the new client, and while we're at it, adds a few extra goodies:
All OTP-requiring commands will now prompt. --otp is no longer required for dist-tag, access, et al.
We're starting to integrate a new config system which will eventually get extracted into a standalone package.
We now use libnpm for the API functionality of a lot of our commands! That means you can install a library if you want to write your own tooling around them.
There's now an npm org command for managing users in your org.
pacote now consumes npm-style configurations, instead of its own naming for various config vars. This will make it easier to load npm configs using libnpm.config and hand them directly to pacote.
NEW FEATURES
Make npm dist-tags the same as npm dist-tag ls.
Add support for IBM i.
Update profile to support new npm-profile API.
BUGFIXES
Fix support for passing git binary path config with --git.
Check for npm.config's existence in error-handler.js to prevent weird errors when failures happen before config object is loaded.
Fix checking for optional dependencies.
Remove tink experiments.
Handle git branch references correctly.
Report any errors above 400 as potentially not supporting audit.
Set default homepage to an empty string.
Fix npm-prefix description.
DOCS
Fix typo in npm-token documentation.
Correct docs for fake-registry interface.
v6.5.0:
NEW FEATURES
Backronym npm ci to npm clean-install.
Adds 'Homepage' to outdated --long output.
BUGFIXES
Fix sign-git-commit options. They were previously totally wrong.
Set lowercase headers for npm audit requests.
Fix npm edit handling of scoped packages.
Make summary output for npm ci go to stdout, not stderr.
Close the file descriptor during publish if exiting upload via an error. This will prevent strange error messages when the upload fails and make sure
cleanup happens correctly.
6.4.1
BUGFIXES
- Prevent blowing up on malformed responses from the npm audit
endpoint, such as with third-party registries.
- Fix NO_PROXY support by renaming npm-side config to --noproxy. The
environment variable should still work.
- Disable update-notifier checks when a CI environment is detected.
- Fix issue where postpack scripts would break if pack was used with
--dry-run.
DEPENDENCY BUMPS
- figgy-pudding@3.4.1
- cacache@11.2.0
- npm-packlist@1.1.11
- libcipm@2.0.2
- JSONStream@1.3.4
- npm-lifecycle@2.1.0
- npm-registry-client@8.6.0
- opener@1.5.0
- request@2.88.0
- tacks@1.2.7
- ci-info@1.4.0
- marked@0.5.0
DOCUMENTATION
- Mention registry terms of use in manpage and registry docs and
update language in README for it.
- Add documentation for --dry-run in install and pack docs.
- Update republish time and lightly reorganize republish info.
- Correct npm@6.4.0 release date in changelog.
- Align command descriptions in help text.
6.4.0
NEW FEATURES
- Search for authentication token defined by environment variables by
preventing the translation layer from env variable to npm option
from breaking :_authToken.
- Stop filtering out non-IPv4 addresses from local-addrs, making npm
actually use IPv6 addresses when it must.
- Configurable audit level for non-zero exit npm audit currently exits
with exit code 1 if any vulnerabilities are found of any level. Add
a flag of --audit-level to npm audit to allow it to pass if only
vulnerabilities below a certain level are found. Example: npm audit
--audit-level=high will exit with 0 if only low or moderate level
vulns are detected.
BUGFIXES
- Don't check for updates to npm when we are updating npm itself.
## v6.3.0 (2018-08-01):
- `figgy-pudding@3.2.0`
- `cacache@11.1.0`
## v6.3.0-next.0 (2018-07-25):
### NEW FEATURES
- `npm version` now supports a `--preid` option to specify the preid
for prereleases. For example, `npm version premajor --preid rc` will tag
a version like `2.0.0-rc.0`.
### MESSAGING IMPROVEMENTS
- Make `npm audit fix` message provide better instructions for
vulnerabilities that require manual review.
- Fix missing colon next to tarball url in new `npm view` output.
- Use the defaut OTP explanation everywhere except when the context is
"OTP-aware" (like when setting double-authentication). This improves
the overall CLI messaging when prompting for an OTP code.
### MISC
- Use the extracted `stringify-package` package.
- `wrappy` was previously added to dependencies in order to flatten
it, but we no longer do legacy-style for npm itself, so it has been
removed from `package.json`.
## v6.2.0 (2018-07-13):
### FEATURES
- Add support for tab-separated output for `npm audit` data with the
`--parseable` flag.
- Add new `sign-git-commit` config to control whether the git commit
itself gets signed, or just the tag (which is the default).
### FIXES
- Do not use `SET` to fetch the env in git-bash or Cygwin.
### DEPENDENCY BUMPS
- `request@2.81.0`: Downgraded to allow better deduplication. This
does introduce a bunch of `hoek`-related audit reports, but they don't
affect npm itself so we consider it safe. We'll upgrade `request` again
once `node-gyp` unpins it.
- `node-gyp@3.7.0`
_ `cli-table3@0.5.0`: `cli-table2` is unmaintained and required
`lodash`. With this dependency bump, we've removed `lodash` from our tree,
which cut back tarball size by another 300kb.
- `npm-audit-report@1.3.1`
- Add `cli-table3` to bundleDeps.
- Make `standard` happy.
## v6.2.0-next.1 (2018-07-05):
- Remove postinstall script that depended on source files, thus
preventing `npm@next` from being installable from the registry.
## v6.2.0-next.0 (2018-06-28):
### NEW FEATURES
- You can now disable the update notifier entirely by using
`--no-update-notifier` or setting it in your config with `npm config
set update-notifier false`.
- When `npm run-script <script>` fails due to a typo or missing
script, npm will now do a "did you mean?..." for scripts that do exist.
### BUGFIXES
- Fix the regular expression matching in `xcode_emulation` in
`node-gyp` to also handle version numbers with multiple-digit major
versions which would otherwise break under use of XCode 10.
- Stop trying to hoist/dedupe bundles dependencies.
- Add synopsis to brief help for `npm audit` and suppress trailing
newline.
- Exclude /.github directory from npm tarball.
- Add suggestion to use a temporary cache instead of `npm cache clear
--force`.
### DEPENDENCY SHUFFLE!
We did some reshuffling and moving around of npm's own dependencies.
This significantly reduces the total bundle size of the npm pack,
from 8MB to 4.8MB for the distributed tarball! We also moved around
what we actually commit to the repo as far as devDeps go.
- Flatten and dedupe our dependencies!
- Remove unused direct dependency `ansi-regex`.
- Reshuffle ansi-regex for better deduping.
- Reshuffle strip-ansi for better deduping.
- Reshuffle is-fullwidth-code-point for better deduping.
- Add fake-registry, npm-registry-mock replacement.
### DEPENDENCIES
- `tar@4.4.3`
- `pacote@8.1.6`
- `libcipm@2.0.0`
- `request@2.87.0`
- `which@1.3.1`
- `tar@4.4.4`
- `JSONStream@1.3.3`
- `is-cidr@2.0.6`
- `marked@0.4.0`
- `tap@12.0.1`
- `npm-profile@3.0.2`
- `uuid@3.3.2`
- NEW FEATURE: npm audit fix
- OTHER NEW audit FEATURES
- Add support for npm audit --json to print the report in JSON
format.
- Include number of audited packages in npm install summary output.
- Overhaul audit install and detail output format.
- NEW FEATURE: GIT DEPS AND npm init <pkg>!
- FIX WRITE AFTER END ERROR
- DETECT CHANGES IN GIT SPECIFIERS
- OTHER BUGFIXES
- When requesting the update of a direct dependency that was also a
transitive dependency to a version incompatible with the
transitive requirement and you had a lock-file but did not have a
node_modules folder then npm would fail to provide a new copy of the
transitive dependency, resulting in an invalid lock-file that could
not self heal.
- Cleanup output of npm ci summary report.
- Node.js now has a test that scans for things that look like
conflict markers in source code. This was triggering false
positives on a fixture in a test of npm's ability to heal lockfiles
with conflicts in them.
- Make the new npm view work when the license field is an object
instead of a string.
- Add support for environments (like Docker) where the expected
binary for opening external URLs is not available.
- Fix a spurious colon in the new update notifier message and add
support for the npm canary.
- Infer a version range when a package.json has a dist-tag instead
of a version range in one of its dependency specs. Previously,
this would cause dependencies to be flagged as invalid.
- Make sure scoped bundled deps are shown in the new publish
preview, too.
- Stop dropping size from metadata on npm cache verify.
- Fix nested command aliases.
- Make sure different versions of the Path env var on Windows all
get node_modules/.bin prepended when running lifecycle scripts.
6.0.1:
CTRL-C OUT DURING PACKAGE EXTRACTION AS MUCH AS YOU WANT!
lockfile@1.0.4: Switches to signal-exit to detect abnormal exits and remove locks.
SHRONKWRAPS AND LACKFILES
If a published modules had legacy npm-shrinkwrap.json we were saving ordinary registry dependencies (name@version) to your package-lock.json as https:// URLs instead of versions.
* When saving the lock-file compute how the dependency is being required instead of using _resolved in the package.json. This fixes the bug that was converting registry dependencies into https:// dependencies.
* When encountering a https:// URL in our lockfiles that point at our default registry, extract the version and use them as registry dependencies. This lets us heal package-lock.json files produced by 6.0.0
AUDIT AUDIT EVERYWHERE
You can't use it quite yet, but we do have a few last moment patches to npm audit to make it even better when it is turned on!
