- NEW FEATURE: npm audit fix
- OTHER NEW audit FEATURES
- Add support for npm audit --json to print the report in JSON
format.
- Include number of audited packages in npm install summary output.
- Overhaul audit install and detail output format.
- NEW FEATURE: GIT DEPS AND npm init <pkg>!
- FIX WRITE AFTER END ERROR
- DETECT CHANGES IN GIT SPECIFIERS
- OTHER BUGFIXES
- When requesting the update of a direct dependency that was also a
transitive dependency to a version incompatible with the
transitive requirement and you had a lock-file but did not have a
node_modules folder then npm would fail to provide a new copy of the
transitive dependency, resulting in an invalid lock-file that could
not self heal.
- Cleanup output of npm ci summary report.
- Node.js now has a test that scans for things that look like
conflict markers in source code. This was triggering false
positives on a fixture in a test of npm's ability to heal lockfiles
with conflicts in them.
- Make the new npm view work when the license field is an object
instead of a string.
- Add support for environments (like Docker) where the expected
binary for opening external URLs is not available.
- Fix a spurious colon in the new update notifier message and add
support for the npm canary.
- Infer a version range when a package.json has a dist-tag instead
of a version range in one of its dependency specs. Previously,
this would cause dependencies to be flagged as invalid.
- Make sure scoped bundled deps are shown in the new publish
preview, too.
- Stop dropping size from metadata on npm cache verify.
- Fix nested command aliases.
- Make sure different versions of the Path env var on Windows all
get node_modules/.bin prepended when running lifecycle scripts.
6.0.1:
CTRL-C OUT DURING PACKAGE EXTRACTION AS MUCH AS YOU WANT!
lockfile@1.0.4: Switches to signal-exit to detect abnormal exits and remove locks.
SHRONKWRAPS AND LACKFILES
If a published modules had legacy npm-shrinkwrap.json we were saving ordinary registry dependencies (name@version) to your package-lock.json as https:// URLs instead of versions.
* When saving the lock-file compute how the dependency is being required instead of using _resolved in the package.json. This fixes the bug that was converting registry dependencies into https:// dependencies.
* When encountering a https:// URL in our lockfiles that point at our default registry, extract the version and use them as registry dependencies. This lets us heal package-lock.json files produced by 6.0.0
AUDIT AUDIT EVERYWHERE
You can't use it quite yet, but we do have a few last moment patches to npm audit to make it even better when it is turned on!
