This is a quick patch to the release to fix an issue that was preventing users from installing npm@next.

• ecdcbd745 #21129 Remove postinstall script that depended on source files, thus preventing npm@next from being installable from the registry. (@zkat)

NEW FEATURES

• ce0793358 #20750 You can now disable the update notifier entirely by using --no-update-notifier or setting it in your config with npm config set update-notifier false. (@travi)
• d2ad776f6 #20879 When npm run-script <script> fails due to a typo or missing script, npm will now do a "did you mean?..." for scripts that do exist. (@watilde)

BUGFIXES

• 8f033d72d #20948 Fix the regular expression matching in xcode_emulation in node-gyp to also handle version numbers with multiple-digit major versions which would otherwise break under use of XCode 10. (@Trott)
• c8ba7573a Stop trying to hoist/dedupe bundles dependencies. (@iarna)
• cd698f068 #20762 Add synopsis to brief help for npm audit and suppress trailing newline. (@wyardley)
• 6808ee3bd #20881 Exclude /.github directory from npm tarball. (@styfle)
• 177cbb476 #21105 Add suggestion to use a temporary cache instead of npm cache clear --force. (@karanjthakkar)

DOCS

• 7ba3fca00 #20855 Direct people to npm.community instead of the GitHub issue tracker on error. (@zkat)
• 88efbf6b0 #20859 Fix typo in registry docs. (@strugee)
• 61bf827ae #20947 Fixed a small grammar error in the README. (@bitsol)
• f5230c90a #21018 Small typo fix in CONTRIBUTING.md. (@reggi)
• 833efe4b2 #20986 Document current structure/expectations around package tarballs. (@Maximaximum)
• 9fc0dc4f5 #21019 Clarify behavior of npm link ../path shorthand. (@davidgilbertson)
• 3924c72d0 #21064 Add missing "if" (@roblourens)

DEPENDENCY SHUFFLE!

We did some reshuffling and moving around of npm's own dependencies. This significantly reduces the total bundle size of the npm pack, from 8MB to 4.8MB for the distributed tarball! We also moved around what we actually commit to the repo as far as devDeps go.

• 0483f5c5d Flatten and dedupe our dependencies! (@iarna)
• ef9fa1ceb Remove unused direct dependency ansi-regex. (@iarna)
• 0d14b0bc5 Reshuffle ansi-regex for better deduping. (@iarna)
• 68a101859 Reshuffle strip-ansi for better deduping. (@iarna)
• 0d5251f97 Reshuffle is-fullwidth-code-point for better deduping. (@iarna)
• 2d0886632 Add fake-registry, npm-registry-mock replacement. (@iarna)

DEPENDENCIES

• 8cff8eea7 [email protected] (@zkat)
• bfc4f873b [email protected] (@zkat)
• 532096163 [email protected] (@zkat)
• 4a512771b [email protected] (@iarna)
• b7cc48dee [email protected] (@iarna)
• bae657c28 [email protected] (@iarna)
• 3d46e5c4e [email protected] (@iarna)
• d0a905daf [email protected] (@iarna)
• 4fc1f815f [email protected] (@iarna)
• f72202944 [email protected] (@iarna)
• bdce96eb3 [email protected] (@iarna)
• fe4240e85 [email protected] (@zkat)

Look at that! A feature bump! npm@6 was super-exciting not just because it used a bigger number than ever before, but also because it included a super shiny new command: npm audit. Well, we've kept working on it since then and have some really nice improvements for it. You can expect more of them, and the occasional fix, in the next few releases as more users start playing with it and we get more feedback about what y'all would like to see from something like this.

I, for one, have started running it (and the new subcommand...) in all my projects, and it's one of those things that I don't know how I ever functioned -without- it! This will make a world of difference to so many people as far as making the npm ecosystem a higher-quality, safer commons for all of us.

This is also a good time to remind y'all that we have a new RFCs repository, along with a new process for them. This repo is open to anyone's RFCs, and has already received some great ideas about where we can take the CLI (and, to a certain extent, the registry). It's a great place to get feedback, and completely replaces feature requests in the main repo, so we won't be accepting feature requests there at all anymore. Check it out if you have something you'd like to suggest, or if you want to keep track of what the future might look like!

NEW FEATURE: npm audit fix

This is the biggie with this release! npm audit fix does exactly what it says on the tin. It takes all the actionable reports from your npm audit and runs the installs automatically for you, so you don't have to try to do all that mechanical work yourself!

Note that by default, npm audit fix will stick to semver-compatible changes, so you should be able to safely run it on most projects and carry on with your day without having to track down what breaking changes were included. If you want your (toplevel) dependencies to accept semver-major bumps as well, you can use npm audit fix --force and it'll toss those in, as well. Since it's running the npm installer under the hood, it also supports --production and --only=dev flags, as well as things like --dry-run, --json, and --package-lock-only, if you want more control over what it does.

Give it a whirl and tell us what you think! See npm help audit for full docs!

• 3800a660d Add npm audit fix subcommand to automatically fix detected vulnerabilities. (@zkat)

OTHER NEW audit FEATURES

• 1854b1c7f #20568 Add support for npm audit --json to print the report in JSON format. (@finnp)
• 85b86169d #20570 Include number of audited packages in npm install summary output. (@zkat)
• 957cbe275 [email protected]: Overhaul audit install and detail output format. The new format is terser and fits more closely into the visual style of the CLI, while still providing you with the important bits of information you need. They also include a bit more detail on the footer about what actions you can take! (@zkat)

NEW FEATURE: GIT DEPS AND npm init <pkg>!

Another exciting change that came with npm@6 was the new npm init command that allows for community-authored generators. That means you can, for example, do npm init react-app and it'll one-off download, install, and run create-react-app for you, without requiring or keeping around any global installs. That is, it basically just calls out to npx.

The first version of this command only really supported registry dependencies, but now, @jdalton went ahead and extended this feature so you can use hosted git dependencies, and their shorthands.

So go ahead and do npm init facebook/create-react-app and it'll grab the package from the github repo now! Or you can use it with a private github repository to maintain your organizational scaffolding tools or whatnot. ✨

• 483e01180 #20403 Add support for hosted git packages to npm init <name>. (@jdalton)

FIX WRITE AFTER END ERROR

First introduced in 5.8.0, this finally puts to bed errors where you would occasionally see Error: write after end at MiniPass.write.

• 171f3182f node-tar#180 npm.community#35 [email protected]: Fix write-after-end errors. (@zkat)

DETECT CHANGES IN GIT SPECIFIERS

• 0e1726c03 We can now determine if the commitid of a git dependency in the lockfile is derived from the specifier in the package.json and if it isn't we now trigger an update for it. (@iarna)

OTHER BUGFIXES

• 442d2484f 2f0c88351 631d30a34 When requesting the update of a direct dependency that was also a transitive dependency to a version incompatible with the transitive requirement and you had a lock-file but did not have a node_modules folder then npm would fail to provide a new copy of the transitive dependency, resulting in an invalid lock-file that could not self heal. (@iarna)
• be5dd0f49 #20715 Cleanup output of npm ci summary report. (@legodude17)
• 98ffe4adb Node.js now has a test that scans for things that look like conflict markers in source code. This was triggering false positives on a fixture in a test of npm's ability to heal lockfiles with conflicts in them. (@iarna)
• a41c0393c #20538 Make the new npm view work when the license field is an object instead of a string. (@zkat)
• eb7522073 #20582 Add support for environments (like Docker) where the expected binary for opening external URLs is not available. (@bcoe)
• 212266529 #20536 Fix a spurious colon in the new update notifier message and add support for the npm canary. (@zkat)
• 5ee1384d0 #20597 Infer a version range when a package.json has a dist-tag instead of a version range in one of its dependency specs. Previously, this would cause dependencies to be flagged as invalid. (@zkat)
• 4fa68ae41 #20585 Make sure scoped bundled deps are shown in the new publish preview, too. (@zkat)
• 1f3ee6b7e [email protected]: Stop dropping size from metadata on npm cache verify. (@jfmartinez)
• 91ef93691 #20513 Fix nested command aliases. (@mmermerkaya)
• 18b2b3cf7 [email protected]: Make sure different versions of the Path env var on Windows all get node_modules/.bin prepended when running lifecycle scripts. (@laggingreflex)

DOCUMENTATION

• a91d87072 #20550 Update required node versions in README. (@legodude17)
• bf3cfa7b8 Pull in changelogs from the last npm@5 release. (@iarna)
• b2f14b14c #20629 Make tone in publishConfig docs more neutral. (@jeremyckahn)

DEPENDENCY BUMPS

• 5fca4eae8 [email protected] (@75lb)
• d9ef3fba7 [email protected] (@isaacs)
• f1baf011a [email protected] (@simonv)
• 005fa5420 [email protected] (@iarna)
• 1becdf09a [email protected] (@isaacs)
• 3f2e306b8 Using npm audit fix, replace some transitive dependencies with security issues with versions that don't have any. (@iarna)
• 1d07134e0 [email protected]: Dropping to 4.4.1 from 4.4.2 due to https://github.com/npm/node-tar/issues/183 (@zkat)

This release became 6.1.0

With this, likely the last release of the [email protected] series, we backport a number of features from 6.0.0. Contrary to Github at publication time, this is not the latest release. That honor belongs to 6.0.1, just below this. If you're using 6.0.1 there's nothing here you haven't seen before.

EXTENDED npm init SCAFFOLDING

Thanks to the wonderful efforts of @jdalton of lodash fame, npm init can now be used to invoke custom scaffolding tools!

You can now do things like npm init react-app or npm init esm to scaffold an npm package by running create-react-app and create-esm, respectively. This also adds an npm create alias, to correspond to Yarn's yarn create feature, which inspired this.

• adc009ed4 f363edd04 f03b45fb2 13adcbb52 #20303 #20372 Add an npm init feature that calls out to npx when invoked with positional arguments. (@jdalton)

DEPENDENCY AUDITING

This version of npm adds a new command, npm audit, which will run a security audit of your project's dependency tree and notify you about any actions you may need to take.

The registry-side services required for this command to work will be available on the main npm registry in the coming weeks. Until then, you won't get much out of trying to use this on the CLI.

As part of this change, the npm CLI now sends scrubbed and cryptographically anonymized metadata about your dependency tree to your configured registry, to allow notifying you about the existence of critical security flaws. For details about how the CLI protects your privacy when it shares this metadata, see npm help audit, or read the docs for npm audit online. You can disable this altogether by doing npm config set audit false, but will no longer benefit from the service.

• c81dfb91b [email protected] (@iarna)
• b096f44a9 [email protected] (@iarna)
• 43b20b204 #20389 Add new npm audit command. (@iarna)
• 49ddb3f56 #20389 Temporarily suppress git metadata till there's an opt-in. (@iarna)
• 5f1129c4b #20389 Document the new command. (@iarna)
• 9a07b379d #20389 Default audit to off when running the npm test suite itself. (@iarna)
• a6e2f1284 Make sure we hide stream errors on background audit submissions. Previously some classes of error could end up being displayed (harmlessly) during installs. (@iarna)
• aadbf3f46 Include session and scope in requests (as we do in other requests to the registry). (@iarna)
• 7d43ddf63 Exit with non-zero status when vulnerabilities are found. So you can have npm audit as a test or prepublish step! (@iarna)
• bc3fc55fa Verify lockfile integrity before running. You'd get an error either way, but this way it's faster and can give you more concrete instructions on how to fix it. (@iarna)
• 2ac8edd42 Refuse to run in global mode. Audits require a lockfile and globals don't have one. Yet. (@iarna)
• 3dcc240db Timeout audit requests eventually. (@iarna)

CTRL-C OUT DURING PACKAGE EXTRACTION AS MUCH AS YOU WANT!

• 663d8b5e5 npm/lockfile#29 [email protected]: Switches to signal-exit to detect abnormal exits and remove locks. (@Redsandro)

SHRONKWRAPS AND LACKFILES

If a published modules had legacy npm-shrinkwrap.json we were saving ordinary registry dependencies (name@version) to your package-lock.json as https:// URLs instead of versions.

• 36f998411 When saving the lock-file compute how the dependency is being required instead of using _resolved in the package.json. This fixes the bug that was converting registry dependencies into https:// dependencies. (@iarna)
• 113e1a3af When encountering a https:// URL in our lockfiles that point at our default registry, extract the version and use them as registry dependencies. This lets us heal package-lock.json files produced by 6.0.0 (@iarna)

MORE package-lock.json FORMAT CHANGES?!

• 074502916 #20384 Add from field back into package-lock for git dependencies. This will give npm the information it needs to figure out whether git deps are valid, specially when running with legacy install metadata or in --package-lock-only mode when there's no node_modules. This should help remove a significant amount of git-related churn on the lock-file. (@zkat)

DOCUMENTATION IMPROVEMENTS

• e0235ebb6 #20384 Update the lock-file spec doc to mention that we now generate the from field for git-type dependencies. (@watilde)
• 35de04676 #20408 Describe what the colors in outdated mean. (@teameh)

BUGFIXES

• 1b535cb9d #20358 npm install-test (aka npm it) will no longer generate package-lock.json when running with --no-package-lock or package-lock=false. (@raymondfeng)
• 268f7ac50 5f84ebdb6 c12e61431 #20390 Fix a scenario where a git dependency had a comittish associated with it that was not a complete commitid. npm would never consider that entry in the package.json as matching the entry in the package-lock.json and this resulted in inappropriate pruning or reinstallation of git dependencies. This has been addressed in two ways, first, the addition of the from field as described in #20384 means we can exactly match the package.json. Second, when that's missing (when working with older package-lock.json files), we assume that the match is ok. (If it's not, we'll fix it up when a real installation is done.) (@iarna)

DOCS

• 7b13bf5e3 #20331 Fix broken link to 'private-modules' page. The redirect went away when the new npm website went up, but the new URL is better anyway. (@vipranarayan14)
• 1c4ffddce #20279 Document the --if-present option for npm run-script. (@aleclarson)

DEPENDENCY UPDATES

• 815d91ce0 [email protected] (@zkat)
• 02715f19f [email protected] (@alexccl)
• 08c4ddd9e [email protected] (@isaacs)
• 53718cb12 [email protected] (@isaacs)
• 0a20cf546 [email protected] (@feross)
• e8c8e844c [email protected] (@tim-kos)
• 76c7f21bd [email protected] (@zkat)
• c8b0aa07b [email protected] (@sindresorhus)
• abfd366b4 [email protected] (@zkat)
• bd29baf83 [email protected] (@iarna)

CTRL-C OUT DURING PACKAGE EXTRACTION AS MUCH AS YOU WANT!

• b267bbbb9 npm/lockfile#29 [email protected]: Switches to signal-exit to detect abnormal exits and remove locks. (@Redsandro)

SHRONKWRAPS AND LACKFILES

If a published modules had legacy npm-shrinkwrap.json we were saving ordinary registry dependencies (name@version) to your package-lock.json as https:// URLs instead of versions.

• 89102c0d9 When saving the lock-file compute how the dependency is being required instead of using _resolved in the package.json. This fixes the bug that was converting registry dependencies into https:// dependencies. (@iarna)
• 676f1239a When encountering a https:// URL in our lockfiles that point at our default registry, extract the version and use them as registry dependencies. This lets us heal package-lock.json files produced by 6.0.0 (@iarna)

AUDIT AUDIT EVERYWHERE

You can't use it quite yet, but we do have a few last moment patches to npm audit to make it even better when it is turned on!

• b2e4f48f5 Make sure we hide stream errors on background audit submissions. Previously some classes of error could end up being displayed (harmlessly) during installs. (@iarna)
• 1fe0c7fea Include session and scope in requests (as we do in other requests to the registry). (@iarna)
• d04656461 Exit with non-zero status when vulnerabilities are found. So you can have npm audit as a test or prepublish step! (@iarna)
• fcdbcbacc Verify lockfile integrity before running. You'd get an error either way, but this way it's faster and can give you more concrete instructions on how to fix it. (@iarna)
• 2ac8edd42 Refuse to run in global mode. Audits require a lockfile and globals don't have one. Yet. (@iarna)
• 3dcc240db Timeout audit requests eventually. (@iarna)

Looking forward

We're still a way from having node@11, so now's a good time to ensure we don't warn about being used with it.

• ed1aebf55 Allow node@11, when it comes. (@iarna)

DOCUMENTATION IMPROVEMENTS

• b7fca1084 #20407 Update the lock-file spec doc to mention that we now generate the from field for git-type dependencies. (@watilde)
• 7a6555e61 #20408 Describe what the colors in outdated mean. (@teameh)

DEPENDENCY UPDATES

• 5e56b3209 [email protected] (@evilpacket)
• 58a0b31b4 [email protected] (@iarna)
• e7a8c364f zkat/pacote#148 [email protected] (@redonkulus)
• 46c0090a5 [email protected] (@isaacs)
• 8a16db3e3 [email protected] (@alexccl)
• 696375903 [email protected] (@feross)
• c949eb26a [email protected] (@sindresorhus)

EXTENDED npm init SCAFFOLDING

Thanks to the wonderful efforts of @jdalton of lodash fame, npm init can now be used to invoke custom scaffolding tools!

You can now do things like npm init react-app or npm init esm to scaffold an npm package by running create-react-app and create-esm, respectively. This also adds an npm create alias, to correspond to Yarn's yarn create feature, which inspired this.

• adc009ed4 f363edd04 f03b45fb2 13adcbb52 #20303 #20372 Add an npm init feature that calls out to npx when invoked with positional arguments. (@jdalton)

DEPENDENCY AUDITING

This version of npm adds a new command, npm audit, which will run a security audit of your project's dependency tree and notify you about any actions you may need to take.

The registry-side services required for this command to work will be available on the main npm registry in the coming weeks. Until then, you won't get much out of trying to use this on the CLI.

As part of this change, the npm CLI now sends scrubbed and cryptographically anonymized metadata about your dependency tree to your configured registry, to allow notifying you about the existence of critical security flaws. For details about how the CLI protects your privacy when it shares this metadata, see npm help audit, or read the docs for npm audit online. You can disable this altogether by doing npm config set audit false, but will no longer benefit from the service.

• c81dfb91b [email protected] (@iarna)
• b096f44a9 [email protected] (@iarna)
• 43b20b204 #20389 Add new npm audit command. (@iarna)
• 49ddb3f56 #20389 Temporarily suppress git metadata till there's an opt-in. (@iarna)
• 5f1129c4b #20389 Document the new command. (@iarna)
• 9a07b379d #20389 Default audit to off when running the npm test suite itself. (@iarna)
• a6e2f1284 Make sure we hide stream errors on background audit submissions. Previously some classes of error could end up being displayed (harmlessly) during installs. (@iarna)
• aadbf3f46 Include session and scope in requests (as we do in other requests to the registry). (@iarna)
• 7d43ddf63 Exit with non-zero status when vulnerabilities are found. So you can have npm audit as a test or prepublish step! (@iarna)
• bc3fc55fa Verify lockfile integrity before running. You'd get an error either way, but this way it's faster and can give you more concrete instructions on how to fix it. (@iarna)
• 2ac8edd42 Refuse to run in global mode. Audits require a lockfile and globals don't have one. Yet. (@iarna)

CTRL-C OUT DURING PACKAGE EXTRACTION AS MUCH AS YOU WANT!

• 663d8b5e5 npm/lockfile#29 [email protected]: Switches to signal-exit to detect abnormal exits and remove locks. (@Redsandro)

SHRONKWRAPS AND LACKFILES

If a published modules had legacy npm-shrinkwrap.json we were saving ordinary registry dependencies (name@version) to your package-lock.json as https:// URLs instead of versions.

• 36f998411 When saving the lock-file compute how the dependency is being required instead of using _resolved in the package.json. This fixes the bug that was converting registry dependencies into https:// dependencies. (@iarna)
• 113e1a3af When encountering a https:// URL in our lockfiles that point at our default registry, extract the version and use them as registry dependencies. This lets us heal package-lock.json files produced by 6.0.0 (@iarna)

MORE package-lock.json FORMAT CHANGES?!

• 074502916 #20384 Add from field back into package-lock for git dependencies. This will give npm the information it needs to figure out whether git deps are valid, specially when running with legacy install metadata or in --package-lock-only mode when there's no node_modules. This should help remove a significant amount of git-related churn on the lock-file. (@zkat)

DOCUMENTATION IMPROVEMENTS

• e0235ebb6 #20384 Update the lock-file spec doc to mention that we now generate the from field for git-type dependencies. (@watilde)
• 35de04676 #20408 Describe what the colors in outdated mean. (@teameh)

BUGFIXES

• 1b535cb9d #20358 npm install-test (aka npm it) will no longer generate package-lock.json when running with --no-package-lock or package-lock=false. (@raymondfeng)
• 268f7ac50 5f84ebdb6 c12e61431 #20390 Fix a scenario where a git dependency had a comittish associated with it that was not a complete commitid. npm would never consider that entry in the package.json as matching the entry in the package-lock.json and this resulted in inappropriate pruning or reinstallation of git dependencies. This has been addressed in two ways, first, the addition of the from field as described in #20384 means we can exactly match the package.json. Second, when that's missing (when working with older package-lock.json files), we assume that the match is ok. (If it's not, we'll fix it up when a real installation is done.) (@iarna)

DOCS

• 7b13bf5e3 #20331 Fix broken link to 'private-modules' page. The redirect went away when the new npm website went up, but the new URL is better anyway. (@vipranarayan14)
• 1c4ffddce #20279 Document the --if-present option for npm run-script. (@aleclarson)

DEPENDENCY UPDATES

• 815d91ce0 [email protected] (@zkat)
• 02715f19f [email protected] (@alexccl)
• 08c4ddd9e [email protected] (@isaacs)
• 53718cb12 [email protected] (@isaacs)
• 0a20cf546 [email protected] (@feross)
• e8c8e844c [email protected] (@tim-kos)
• 76c7f21bd [email protected] (@zkat)
• c8b0aa07b [email protected] (@sindresorhus)
• abfd366b4 [email protected] (@zkat)
• bd29baf83 [email protected] (@iarna)

CTRL-C OUT DURING PACKAGE EXTRACTION AS MUCH AS YOU WANT!

• b267bbbb9 npm/lockfile#29 [email protected]: Switches to signal-exit to detect abnormal exits and remove locks. (@Redsandro)

SHRONKWRAPS AND LACKFILES

If a published modules had legacy npm-shrinkwrap.json we were saving ordinary registry dependencies (name@version) to your package-lock.json as https:// URLs instead of versions.

• 89102c0d9 When saving the lock-file compute how the dependency is being required instead of using _resolved in the package.json. This fixes the bug that was converting registry dependencies into https:// dependencies. (@iarna)
• 676f1239a When encountering a https:// URL in our lockfiles that point at our default registry, extract the version and use them as registry dependencies. This lets us heal package-lock.json files produced by 6.0.0 (@iarna)

AUDIT AUDIT EVERYWHERE

You can't use it quite yet, but we do have a few last moment patches to npm audit to make it even better when it is turned on!

• b2e4f48f5 Make sure we hide stream errors on background audit submissions. Previously some classes of error could end up being displayed (harmlessly) during installs. (@iarna)
• 1fe0c7fea Include session and scope in requests (as we do in other requests to the registry). (@iarna)
• d04656461 Exit with non-zero status when vulnerabilities are found. So you can have npm audit as a test or prepublish step! (@iarna)
• fcdbcbacc Verify lockfile integrity before running. You'd get an error either way, but this way it's faster and can give you more concrete instructions on how to fix it. (@iarna)
• 2ac8edd42 Refuse to run in global mode. Audits require a lockfile and globals don't have one. Yet. (@iarna)

DOCUMENTATION IMPROVEMENTS

• b7fca1084 #20407 Update the lock-file spec doc to mention that we now generate the from field for git-type dependencies. (@watilde)
• 7a6555e61 #20408 Describe what the colors in outdated mean. (@teameh)

DEPENDENCY UPDATES

• 5e56b3209 [email protected] (@evilpacket)
• 58a0b31b4 [email protected] (@iarna)
• e7a8c364f zkat/pacote#148 [email protected] (@redonkulus)
• 46c0090a5 [email protected] (@isaacs)
• 8a16db3e3 [email protected] (@alexccl)
• 696375903 [email protected] (@feross)
• c949eb26a [email protected] (@sindresorhus)

This release contains:

v6.0.0.next-1

There's two major features included with this release, along with a few miscellaneous fixes and changes.

EXTENDED npm init SCAFFOLDING

Thanks to the wonderful efforts of @jdalton of lodash fame, npm init can now be used to invoke custom scaffolding tools!

You can now do things like npm init react-app or npm init esm to scaffold an npm package by running create-react-app and create-esm, respectively. This also adds an npm create alias, to correspond to Yarn's yarn create feature, which inspired this.

• 008a83642 ed81d1426 833046e45 #20303 Add an npm init feature that calls out to npx when invoked with positional arguments. (@jdalton)

DEPENDENCY AUDITING

This version of npm adds a new command, npm audit, which will run a security audit of your project's dependency tree and notify you about any actions you may need to take.

The registry-side services required for this command to work will be available on the main npm registry in the coming weeks. Until then, you won't get much out of trying to use this on the CLI.

As part of this change, the npm CLI now sends scrubbed and cryptographically anonymized metadata about your dependency tree to your configured registry, to allow notifying you about the existence of critical security flaws. For details about how the CLI protects your privacy when it shares this metadata, see npm help audit, or read the docs for npm audit online. You can disable this altogether by doing npm config set audit false, but will no longer benefit from the service.

• f4bc648ea #20389 [email protected] (@iarna)
• 594d16987 #20389 [email protected] (@iarna)
• 8c77dde74 1d8ac2492 552ff6d64 09c734803 #20389 Add new npm audit command. (@iarna)
• be393a290 #20389 Temporarily suppress git metadata till there's an opt-in. (@iarna)
• 8e713344f #20389 Document the new command. (@iarna)

MORE package-lock.json FORMAT CHANGES?!

• 820f74ae2 #20384 Add from field back into package-lock for git dependencies. This will give npm the information it needs to figure out whether git deps are valid, specially when running with legacy install metadata or in --package-lock-only mode when there's no node_modules. This should help remove a significant amount of git-related churn on the lock-file. (@zkat)

BUGFIXES

• 9d5d0a18a #20358 npm install-test (aka npm it) will no longer generate package-lock.json when running with --no-package-lock or package-lock=false. (@raymondfeng)
• e4ed976e2 2facb35fb 9c1eb945b #20390 Fix a scenario where a git dependency had a comittish associated with it that was not a complete commitid. npm would never consider that entry in the package.json as matching the entry in the package-lock.json and this resulted in inappropriate pruning or reinstallation of git dependencies. This has been addressed in two ways, first, the addition of the from field as described in #20384 means we can exactly match the package.json. Second, when that's missing (when working with older package-lock.json files), we assume that the match is ok. (If it's not, we'll fix it up when a real installation is done.) (@iarna)

DEPENDENCIES

• 1c1f89b73 [email protected] (@zkat)
• 242d8a647 [email protected] (@zkat)

DOCS

• a1c77d614 #20331 Fix broken link to 'private-modules' page. The redirect went away when the new npm website went up, but the new URL is better anyway. (@vipranarayan14)
• ad7a5962d #20279 Document the --if-present option for npm run-script. (@aleclarson)

v6.0.0-next.0

NEW FEATURES

• a9e722118 #20256 Add support for managing npm webhooks. This brings over functionality previously provided by the wombat CLI. (@zkat)
• 8a1a64203 #20126 Add npm cit command that's equivalent of npm ci && npm t that's equivalent of npm it. (@SimenB)
• fe867aaf1 49d18b4d8 ff6b31f77 78eab3cda The requires field in your lock-file will be upgraded to use ranges from versions on your first use of npm. (@iarna)
• cf4d7b4de #20257 Add shasum and integrity to the new npm view output. (@zkat)

BUG FIXES

• 685764308 Fix a bug where OTPs passed in via the commandline would have leading zeros deleted resulted in authentication failures. (@iarna)

• 8f3faa323 6800f76ff ec90c06c7 825b5d2c6 4785f13fb bd16485f5 Restore the ability to bundle dependencies that are uninstallable from the registry. This also eliminates needless registry lookups for bundled dependencies.

  Fixed a bug where attempting to install a dependency that is bundled inside another module without reinstalling that module would result in ENOENT errors. (@iarna)

• 429498a8c #20029 Allow packages with non-registry specifiers to follow the fast path that the we use with the lock-file for registry specifiers. This will improve install time especially when operating only on the package-lock (--package-lock-only). (@zkat)

  Fix the a bug where npm i --only=prod could remove development dependencies from lock-file. (@iarna)

• 834b46ff4 #20122 Improve the update-notifier messaging (borrowing ideas from pnpm) and eliminate false positives. (@zkat)

• f9de7ef3a #20154 Let version succeed when package-lock.json is gitignored. (@nwoltman)

• f8ec52073 #20212 Ensure that we only create an etc directory if we are actually going to write files to it. (@buddydvd)

• ab489b753 #20140 Note in documentation that package-lock.json version gets touched by npm version. (@srl295)

• 857c2138d #20032 Fix bug where unauthenticated errors would get reported as both 404s and 401s, i.e. npm ERR! 404 Registry returned 401. In these cases the error message will now be much more informative. (@iarna)

• d2d290bca #20082 Allow optional @ prefix on scope with npm team commands for parity with other commands. (@bcoe)

• b5babf0a9 #19580 Improve messaging when two-factor authentication is required while publishing. (@jdeniau)

• 471ee1c5b 0da38b7b4 Fix a bug where optional status of a dependency was not being saved to the package-lock on the initial install. (@iarna)

• b3f98d8ba 9dea95e31 Ensure that --no-optional does not remove optional dependencies from the lock-file. (@iarna)

MISCELLANEOUS

• ec6b12099 Exclude all tests from the published version of npm itself. (@iarna)

DEPENDENCY UPDATES

• 73dc97455 zkat/cipm#46 [email protected]: Detect binding.gyp for default install lifecycle. Let's npm ci work on projects that have their own C code. (@caleblloyd)
• 77c3f7a00 [email protected]
• dce733e37 zkat/json-parse-better-errors#1 [email protected] (@Hoishin)
• c52765ff3 [email protected] (@mcollina)
• e160adf9f [email protected] (@sindersorhus)
• 9a9d7809e [email protected] (@joshbruce)
• f2fbd8577 #20256 [email protected] (@zkat)
• 44972d53d #20256 [email protected] (@zkat)
• cfe562c58 #20276 [email protected]
• 3c0bbcb8e zkat/npx#172 [email protected] (@jdalton)
• 0573d91e5 zkat/cacache#128 [email protected] (@zkat)
• 396afa99f [email protected] (@zkat)
• e7f869c36 [email protected] (@zkat)
• 77dac72df [email protected] (@zkat)
• 0b802f2a0 [email protected] (@iarna)
• 4781b64bc [email protected] (@zkat)
• 7bdbaeea6 [email protected] (@zkat)
• 5f2bf4222 [email protected] (@zkat)

This release became 6.0.0

This release is a part of 6.0.0

NEW FEATURES

• 32ec2f54b #20257 Add shasum and integrity to the new npm view output. (@zkat)
• a22153be2 #20126 Add npm cit command that's equivalent of npm ci && npm t that's equivalent of npm it. (@SimenB)

BUG FIXES

• 089aeaf44 Fix a bug where OTPs passed in via the commandline would have leading zeros deleted resulted in authentication failures. (@iarna)

• 6eaa860ea Eliminate direct use of new Buffer in npm. While the use of it in npm was safe, there are two other reasons for this change:

  1. Node 10 emits warnings about its use.
  2. Users who require npm as a library (which they definitely should not do) can call the functions that call new Buffer in unsafe ways, if they try really hard. (@iarna)

• 85900a294 Starting with 5.8.0 the requires section of the lock-file saved version ranges instead of specific versions. Due to a bug, further actions on the same lock-file would result in the range being switched back to a version. This corrects that, keeping ranges when they appear. (@iarna)

• 0dffa9c2a 609d6f6e1 08f81aa94 f8b76e076 6d609822d 59d080a22 Restore the ability to bundle dependencies that are uninstallable from the registry. This also eliminates needless registry lookups for bundled dependencies.

  Fixed a bug where attempting to install a dependency that is bundled inside another module without reinstalling that module would result in ENOENT errors. (@iarna)

• db846c2d5 #20029 Allow packages with non-registry specifiers to follow the fast path that the we use with the lock-file for registry specifiers. This will improve install time especially when operating only on the package-lock (--package-lock-only). (@zkat)

  Fix the a bug where npm i --only=prod could remove development dependencies from lock-file. (@iarna)

• 3e12d2407 #20122 Improve the update-notifier messaging (borrowing ideas from pnpm) and eliminate false positives. (@zkat)

• f18be9b39 #20154 Let version succeed when package-lock.json is gitignored. (@nwoltman)

• ced29253d #20212 Ensure that we only create an etc directory if we are actually going to write files to it. (@buddydvd)

• 8e21b19a8 #20140 Note in documentation that package-lock.json version gets touched by npm version. (@srl295)

• 5d17c87d8 #20032 Fix bug where unauthenticated errors would get reported as both 404s and 401s, i.e. npm ERR! 404 Registry returned 401. In these cases the error message will now be much more informative. (@iarna)

• 05ff6c9b1 #20082 Allow optional @ prefix on scope with npm team commands for parity with other commands. (@bcoe)

• 6bef53891 #19580 Improve messaging when two-factor authentication is required while publishing. (@jdeniau)

• 155dab2bd Fix a bug where optional status of a dependency was not being saved to the package-lock on the initial install. (@iarna)

• 8d6a4cafc a0937e9af Ensure that --no-optional does not remove optional dependencies from the lock-file. (@iarna)

DEPENDENCY UPDATES

• 8baa37551 zkat/cipm#46 [email protected]: Detect binding.gyp for default install lifecycle. Let's npm ci work on projects that have their own C code. (@caleblloyd)
• 323f74242 zkat/json-parse-better-errors#1 [email protected] (@Hoishin)
• d0cf1f11e [email protected] (@mcollina)
• 9e9fdba5e [email protected] (@sindersorhus)
• 57fa33870 [email protected] (@joshbruce)
• d2b20d34b #20276 [email protected]
• 2b5700679 zkat/npx#172 [email protected] (@jdalton)

Sometimes major releases are a big splash, sometimes they're something smaller. This is the latter kind. That said, we expect to keep this in release candidate status until Node 10 ships at the end of April. There will likely be a few more features for the 6.0.0 release line between now and then. We do expect to have a bigger one later this year though, so keep an eye out for npm@7!

BREAKING AVOID DEPRECATED

When selecting versions to install, we now avoid deprecated versions if possible. For example:

Module: example
Versions:
1.0.0
1.1.0
1.1.2
1.1.3 (deprecated)
1.2.0 (latest)

If you ask npm to install example@~1.1.0, npm will now give you 1.1.2.

By contrast, if you installed example@~1.1.3 then you'd get 1.1.3, as it's the only version that can match the range.

• 78bebc0ce #20151 Skip deprecated versions when possible. (@zkat)

BREAKING UPDATE AND OUTDATED

When npm install is finding a version to install, it first checks to see if the specifier you requested matches the latest tag. If it doesn't, then it looks for the highest version that does. This means you can do release candidates on tags other than latest and users won't see them unless they ask for them. Promoting them is as easy as setting the latest tag to point at them.

Historically npm update and npm outdated worked differently. They just looked for the most recent thing that matched the semver range, disregarding the latest tag. We're changing it to match npm install's behavior.

• 3aaa6ef42 Make update and outdated respect latest interaction with semver as install does. (@iarna)
• e5fbbd2c9 [email protected] (@iarna)

PLUS ONE SMALLER PATCH

Technically this is a bug fix, but the change in behavior is enough of an edge case that I held off on bringing it in until a major version.

When we extract a binary and it starts with a shebang (or "hash bang"), that is, something like:

#!/usr/bin/env node

If the file has Windows line endings we strip them off of the first line. The reason for this is that shebangs are only used in Unix-like environments and the files with them can't be run if the shebang has a Windows line ending.

Previously we converted ALL line endings from Windows to Unix. With this patch we only convert the line with the shebang. (Node.js works just fine with either set of line endings.)

• 814658371 7265198eb [email protected]: Only rewrite the CR after a shebang (if any) when fixing up CR/LFs. (@iarna)

BREAKING SUPPORTED NODE VERSIONS

Per our supported Node.js policy, we're dropping support for both Node 4 and Node 7, which are no longer supported by the Node.js project.

• 077cbe917 Drop support for Node 4 and Node 7. (@iarna)

DEPENDENCIES

• 478fbe2d0 [email protected]
• b18d88178 [email protected]
• e02fa7497 [email protected]
• c8f8564be 311e55512 [email protected]

Coming to you this week are a fancy new package view, pack/publish previews and a handful of bug fixes! Let's get right in!

NEW PACKAGE VIEW

There's a new npm view in town. You might it as npm info or npm show. The new output gives you a nicely summarized view that for most packages fits on one screen. If you ask it for --json you'll still get the same results, so your scripts should still work fine.

• 143cdbf13 #19910 Add humanized default view. (@zkat)
• ca84be91c #19910 [email protected] (@zkat)
• 9a5807c4f #19910 [email protected] (@zkat)
• 23b4a4fac #19910 [email protected]

PACK AND PUBLISH PREVIEWS

The npm pack and npm publish commands print out a summary of the files included in the package. They also both now take the --dry-run flag, so you can double check your .npmignore settings before doing a publish.

• 116e9d827 #19908 Add package previews to pack and publish. Also add --dry-run and --json flags. (@zkat)

MERGE CONFLICT, SMERGE CONFLICT

If you resolve a package-lock.json merge conflict with npm install we now suggest you setup a merge driver to handle these automatically for you. If you're reading this and you'd like to set it up now, run:

npx npm-merge-driver install -g

• 5ebe99719 #20071 suggest installing the merge driver (@zkat)

MISC BITS

• a05e27b71 Going forward, record requested ranges not versions in the package-lock. (@iarna)
• f721eec59 Add 10 to Node.js supported version list. It's not out yet, but soon my pretties... (@iarna)

DEPENDENCY UPDATES

• 40aabb94e [email protected]: Fix bugs on docker and with some prepare scripts and npm ci. Fix a bug where script hooks wouldn't be called with npm ci. Fix a bug where npm ci and --prefix weren't compatible. (@isaacseymour) (@umarov) (@mikeshirov) (@billjanitsch)
• a85372e67 [email protected]: Switch to safe-buffer and Buffer.from. (@isaacs) (@ChALkeR)
• 588eabd23 [email protected]
• 07f27ee89 [email protected]
• 01e4e29bc [email protected]
• 344ba8819 [email protected]
• dc6df1bc4 [email protected]
• 97a976696 [email protected]
• 9b629d0c6 [email protected]

Hey again, everyone! While last release was focused largely around PRs from the CLI team, this release is mostly pulling in community PRs in npm itself and its dependencies! We've got a good chunk of wonderful contributions for y'all, and even new features and performance improvements! 🎉

We're hoping to continue our biweekly (as in every-other-week biweekly) release schedule from now on, so you should be seeing more steady npm releases from here on out. And that's good, 'cause we've got a ton of new stuff on our roadmap for this year. Keep an eye out for exciting news. 👀

FEATURES

• 2f513fe1c #19904 Make a best-attempt at preserving line ending style when saving package.json/package-lock.json/npm-shrinkwrap.json. This goes hand-in-hand with a previous patch to preserve detected indentation style. (@tuananh)
• d3cfd41a2 [email protected] (@zkat)
  • Enable file:-based resolved URIs in package-lock.json.
  • Retry git-based operations on certain types of failure.
• ecfbb16dc #19929 Add support for the NO_COLOR standard. This gives a cross-application, consistent way of disabling ANSI color code output. Note that npm already supported this through --no-color or npm_config_color='false' configurations, so this is just another way to do it. (@chneukirchen)
• fc8761daf #19629 Give more detailed, contextual information when npm fails to parse package-lock.json and npm-shrinkwrap.json, instead of saying JSON parse error and leaving you out in the cold. (@JoshuaKGoldberg)
• 1d368e1e6 #19157 Add --no-proxy config option. Previously, you needed to use the NO_PROXY environment variable to use this feature -- now it's an actual npm option. (@Saturate)
• f0e998daa #18426 Do environment variable replacement in config files even for config keys or fragments of keys. (@misak113)
• 9847c82a8 #18384 Better error messaging and suggestions when users get EPERM/EACCES errors. (@chrisjpatty)
• b9d0c0c01 #19448 Holiday celebrations now include all JavaScripters, not just Node developers. (@isaacs)

NPM CI

I hope y'all have been having fun with npm ci so far! Since this is the first release since that went out, we've had a few fixes and improvements now that folks have actually gotten their hands on it! Benchmarks have been super promising so far, and I've gotten messages from a lot of you saying you've sped up your CI work by 2-5x in some cases! Have a good example? Tell us on Twitter!

npm ci is, right now, the fastest installer you can use in CI situations, so go check it out if you haven't already! We'll continue doing performance improvements on it, and a lot of those will help make npm install fast as well. 🏎😎

• 0d7f203d9 [email protected] (@zkat)

This libcipm release includes a number of improvements:

• PERFORMANCE Reduce calls to read-package-json and separate JSON update phase from man/bin linking phase. npm ci should be noticeably faster.
• FEATURE Progress bar now fills up as packages are installed, instead of sitting there doing nothing.
• BUGFIX Add support for --only and --also options.
• BUFGIX Linking binaries and running scripts in parallel was causing packages to sometimes clobber each other when hoisted, as well as potentially running too many run-sripts in parallel. This is now a serial operation, and it turns out to have had relatively little actual performance impact.
• BUGFIX Stop adding _from to directory deps (aka file:packages/my-dep).

BUGFIXES

• 58d2aa58d #20027 Use a specific mtime when packing tarballs instead of the beginning of epoch time. This should allow npm pack to generate tarballs with identical hashes for identical contents, while fixing issues with some zip implementations that do not support pre-1980 timestamps. (@isaacs)
• 4f319de1d Don't fall back to couch adduser if we didn't try couch login. (@iarna)
• c8230c9bb #19608 Fix issue where using the npm-bundled npx on Windows was invoking npx prefix (and downloading that package). (@laggingreflex)
• d70c01970 #18953 Avoid using code that depends on node@>=4 in the unsupported check, so npm can report the issue normally instead of syntax-crashing. (@deployable)

DOCUMENTATION

• 4477ca2d9 [email protected]: Fixes issue preventing correct rendering of backticked strings. man pages should be rendering correctly now instead of having empty spaces wherever backticks were used. (@joshbruce)
• 71076ebda #19950 Add a note to install --production. (@kyranet)
• 3a33400b8 #19957 nudge around some details in ci docs (@zkat)
• 06038246a #19893 Add a common open reason to the issue template. (@MrStonedOne)
• 7376dd8af #19870 Fix typo in npm-config.md (@joebowbeer)
• 5390ed4fa #19858 Fix documented default value for config save option. It was still documented as false, even though [email protected] set it to true by default. (@nalinbhardwaj)
• dc36d850a #19552 Rework npm update docs now that --save is on by default. (@selbekk)
• 5ec5dffc8 #19726 Clarify that name and version fields are optional if your package is not supposed to be installable as a dependency. (@ngarnier)
• 046500994 #19676 Fix documented cache location on Windows. (@VladRassokhin)
• ffa84cd0f #19475 Added example for homepage field from package.json. (@cg-cnu)
• de72d9a18 #19307 Document the requires field in npm help package-lock.json. (@jcrben)
• 35c4abded #18976 Typo fix in coding style documentation. (@rinfan)
• 0616fd22a #19216 Add edit section to description in npm-team.md. (@WispProxy)
• c2bbaaa58 #19194 Tiny style fix in npm.md. (@WispProxy)
• dcdfdcbb0 #19192 Document --development flag in npm-ls.md. (@WispProxy)
• d7ff07135 #18514 Make it so javascript -> JavaScript. This is important. (@masonpawsey)
• 7a8705113 #18407 Clarify the mechanics of the file field in package.json a bit. (@bmacnaughton)
• b2a1cf084 #18382 Document the browser field in package.json. (@mxstbr)

MISC

• b8a48a959 #19907 Consolidate code for stringifying package.json and package locks. Also adds tests have been added to test that package[-lock].json files are written to disk with their original line endings. (@nwoltman)
• b4f707d9f #19879 Remove unused devDependency nock from .gitignore. (@watilde)
• 8150dd5f7 #16540 Stop doing an uninstall when using make clean. (@metux)

OTHER DEPENDENCY BUMPS

• ab237a2a5 [email protected] (@zkat)
• f6d668941 [email protected] (@zkat)
• 882bfbdfa [email protected] (@zkat)
• 6ae38055b [email protected]: Support git packed refs --all mode. (@zkat)
• 89db703ae [email protected] (@mcollina)
• 634dfa5f4 [email protected] (@rvagg)
• 92ad34439 [email protected] (@zkat)
• 75279c488 [email protected] (@isaacs)
• 228aba276 [email protected] (@iarna)
• 006e9d272 [email protected] (@zkat)
• 9985561e6 [email protected] (@bcomnes)
• 1dc6b3b52 [email protected] (@isaacs)

This release reverts a patch that could cause some ownership changes on system files when running from some directories when also using sudo. 😲

Thankfully, it only affected users running npm@next, which is part of our staggered release system, which we use to prevent issues like this from going out into the wider world before we can catch them. Users on latest would have never seen this!

The original patch was added to increase consistency and reliability of methods npm uses to avoid writing files as root in places it shouldn't, but the change was applied in places that should have used regular mkdirp`. This release reverts that patch.

• 74e149da6 #19883 Revert "*: Switch from mkdirp to correctMkdir to preserve perms and owners" This reverts commit 94227e15. (@zkat)

Hey y'all, it's been a while. Expect our release rate to increase back to normal here, as we've got a lot in the pipeline. Right now we've got a bunch of things from folks at npm. In the next release we'll be focusing on user contributions and there are a lot of them queued up!

This release brings a bunch of exciting new features and bug fixes.

PACKAGE-LOCK GIT MERGE CONFLICT RESOLUTION

Allow npm install to fix package-lock.json and npm-shrinkwrap.json files that have merge conflicts in them without your having to edit them. It works in conjunction with npm-merge-driver to entirely eliminate package-lock merge conflicts.

• e27674c22 Automatically resolve merge conflicts in lock-files. (@zkat)

NPM CI

The new npm ci command installs from your lock-file ONLY. If your package.json and your lock-file are out of sync then it will report an error.

It works by throwing away your node_modules and recreating it from scratch.

Beyond guaranteeing you that you'll only get what is in your lock-file it's also much faster (2x-10x!) than npm install when you don't start with a node_modules.

As you may take from the name, we expect it to be a big boon to continuous integration environments. We also expect that folks who do production deploys from git tags will see major gains.

• 5e4de9c99 Add new npm ci installer. (@zkat)

OTHER NEW FEATURES

• 4d418c21b #19817 Include contributor count in installation summary. (@kemitchell)
• 17079c2a8 Require password to change email through npm profile. (@iarna)
• e7c5d226a 4f5327c05 #19780 Add support for web-based logins. This is not yet available on the registry, however. (@isaacs)

BIG FIXES TO PRUNING

• 827951590 Handle running npm install package-name with a node_modules containing packages without sufficient metadata to verify their origin. The only way to get install packages like this is to use a non-npm package manager. Previously npm removed any packages that it couldn't verify. Now it will leave them untouched as long as you're not asking for a full install. On a full install they will be reinstalled (but the same versions will be maintained).

  This will fix problems for folks who are using a third party package manager to install packages that have postinstall scripts that run npm install. (@iarna)

• 3b305ee71 Only auto-prune on installs that will create a lock-file. This restores npm@4 compatible behavior when the lock-file is disabled. When using a lock-file npm will continue to remove anything in your node_modules that's not in your lock-file. (@iarna)

• cec5be542 Fix bug where npm prune --production would remove dev deps from the lock file. It will now only remove them from node_modules not from your lock file. (@iarna)

• 857dab03f Fix bug where git dependencies would be removed or reinstalled when installing other dependencies. (@iarna)

BUG FIXES TO TOKENS AND PROFILES

• a66e0cd03 For CIDR filtered tokens, allow comma separated CIDR ranges, as documented. Previously you could only pass in multiple cidr ranges with multiple --cidr command line options. (@iarna)
• d259ab014 Fix token revocation when an OTP is required. Previously you had to pass it in via --otp. Now it will prompt you for an OTP like other npm token commands. (@iarna)
• f8b1f6aec Update token and profile commands to support legacy (username/password) authentication. (The npm registry uses tokens, not username/password pairs, to authenticate commands.) (@iarna)

OTHER BUG FIXES

• 6954dfc19 Fix a bug where packages would get pushed deeper into the tree when upgrading without an existing copy on disk. Having packages deeper in the tree ordinarily is harmless but is not when peerDependencies are in play. (@iarna)
• 1ca916a1e Fix bug where when switching from a linked module to a non-linked module, the dependencies of the module wouldn't be installed on the first run of npm install. (@iarna)
• 8c120ebb2 Fix integrity matching to eliminate spurious EINTEGRITY errors. (@zkat)
• 94227e15e More consistently make directories using perm and ownership preserving features. (@iarna)

DEPENDENCY UPDATES

• 364b23c7f f2049f9e7 [email protected] (@zkat)
• d183d7675 [email protected]: (@iarna)
• ffd6ea62c [email protected]
• ee63b8a31 [email protected] (@isaacs)
• 6f73f5509 [email protected] (@dominictarr)
• 26cd64869 9bc6230cf [email protected] (@zkat)
• 21a39be42 [email protected]:5 (@joshbruce)
• dabdf57b2 [email protected]
• 2594c5867 [email protected] (@iarna)
• 8abb3f230 [email protected] (@isaacs)
• 11a0b00bd [email protected] (@zkat)
• 9b6bdb2c7 [email protected] (@sindresorhus)
• d6d17d6b5 [email protected] (@mcollina)
• 51370aad5 [email protected] (@isaacs)
• 0db14bac7 81da938ab 9999e83f8 [email protected] (@zkat)
• f526992ab [email protected] (@isaacs)
• be096b409 dc3059522 [email protected]
• 6b552daac [email protected] (@broofa)
• 8c9011b72 [email protected] (@rvagg)

Features!

You may have noticed this is a semver-minor bump. Wondering why? This is why!

• bc263c3fd #19054 Fully cross-platform package-lock.json. Installing a failing optional dependency on one platform no longer removes it from the dependency tree, meaning that package-lock.json should now be generated consistently across platforms! 🎉 (@iarna)
• f94fcbc50 #19160 Add --package-lock-only config option. This makes it so you can generate a target package-lock.json without performing a full install of node_modules. (@alopezsanchez)
• 66d18280c #19104 Add new --node-options config to pass through a custom NODE_OPTIONS for lifecycle scripts. (@bmeck)
• 114d518c7 Ignore mtime when packing tarballs: This means that doing npm pack on the same repository should yield two tarballs with the same checksum. This will also help prevent cache bloat when using git dependencies. In the future, this will allow npm to explicitly cache git dependencies. (@isaacs)

Node 9

Previously, it turns out npm broke on the latest Node, node@9. We went ahead and fixed it up so y'all should be able to use the latest npm again!

• 4ca695819 [email protected]: Fix node@9 incompatibility. (@isaacs)
• c851bb503 [email protected]: Fix node@9 incompatibility. (@isaacs)
• 6caf23096 Remove "unsupported" warning for Node 9 now that things are fixed. (@iarna)
• 1930b0f8c Update test matrix with node@8 LTS and node@9. (@iarna)

Bug Fixes

• b70321733 #18881 When dealing with a node_modules that was created with older versions of npm (and thus older versions of npa) we need to gracefully handle older spec entries. Failing to do so results in us treating those packages as if they were http remote deps, which results in invalid lock files with version set to tarball URLs. This should now be fixed. (@iarna)
• 2f9c5dd00 #18880 Stop overwriting version in package data on disk. This is another safeguard against the version overwriting that's plagued some folks upgrading from older package-locks. (@iarna) (@joshclow)
• a93e0a51d #18846 Correctly save transitive dependencies when using npm update in package-lock.json. (@iarna)
• fdde7b649 #18825 Fix typo and concatenation in error handling. (@alulsh)
• be67de7b9 #18711 Upgrade to bearer tokens from legacy auth when enabling 2FA. (@iarna)
• bfdf0fd39 #19033 Fix issue where files with @ signs in their names would not get included when packing tarballs. (@zkat)
• b65b89bde #19048 Fix problem where npm login was ignoring various networking-related options, such as custom certs. (@wejendorp)
• 8c194b86e [email protected]: Include node_modules/ directories not in the root. (@isaacs)
• d7ef6a20b [email protected]: Fix some *nix binary path escaping issues. (@zkat)
• 981828466 [email protected]: Fix fallback to copy-concurrently when file move fails. This might fix permissions and such issues on platforms that were getting weird filesystem errors during install. (@karolba)
• a0be6bafb [email protected]: Includes a bunch of fixes, specially for issues around git dependencies. Shasum-related errors should be way less common now, too. (@zkat)
• b80d650de #19163 Fix a number of git and tarball specs and checksum errors. (@zkat)
• cac225025 #19054 Don't count failed optionals when summarizing installed packages. (@iarna)

UX

• b1ec2885c #18326 Stop truncating output of npm view. This means, for example, that you no longer need to use --json when a package has a lot of versions, to see the whole list. (@SimenB)
• 55a124e0a #18884 Profile UX improvements: better messaging on unexpected responses, and stop claiming we set passwords to null when resetting them. (@iarna)
• 635481c61 #18844 Improve error messaging for OTP/2FA. (@iarna)
• 52b142ed5 #19054 Stop running the same rollback multiple times. This should address issues where Windows users saw strange failures when fsevents failed to install. (@iarna)
• 798428b0b #19172 [email protected]: Log the fact line endings are being changed upon install. (@marcosscriven)

Refactors

Usually, we don't include internal refactor stuff in our release notes, but it's worth calling out some of them because they're part of a larger effort the CLI team and associates are undertaking to modularize npm itself so other package managers and associated tools can reuse all that code!

• 9d22c96b7 #18500 Extract bin-links and gentle-fs to a separate library. This will allow external tools to do bin linking and certain fs operations in an npm-compatible way! (@mikesherov)
• 015a7803b #18883 Capture logging from log events on the process global. This allows npm to use npmlog to report logging from external libraries like npm-profile. (@iarna)
• c930e98ad [email protected]: Use our own node-gyp. This means npm no longer needs to pull some maneuvers to make sure node-gyp is in the right place, and that external packages using npm-lifecycle will get working native builds without having to do their own node-gyp maneuvers. (@zkochan)
• 876f0c8f3 829893d61 #19099 [email protected]: npm's prefix-finding logic is now a standalone module. That is, the logic that figures out where the root of your project is if you've cd'd into a subdirectory. Did you know you can run npm install from these subdirectories, and it'll only affect the root? It works like git! (@iarna)

Docs

• 7ae12b21c #18823 Fix spelling of the word authenticator. Because English is hard. (@tmcw)
• 5dfc3ab7b #18742 Explicitly state 'github:foo/bar' as a valid shorthand for hosted git specs. (@felicio)
• a9dc098a6 #18679 Add some documentation about the script-shell config. (@gszabo)
• 24d7734d1 #18571 Change verboten to forbidden. (@devmount)
• a8a45668f #18568 Improve wording for the docs for the "engines" section of package.json files. (@apitman)
• dbc7e5b60 #19118 Use valid JSON in example for bundledDependencies. (@charmander)
• 779339485 #19162 Remove trailing white space from npm access docs. (@WispProxy)

Dependency Bumps

• 0e7cac941 [email protected] (@petkaantonov)
• c4d5887d9 [email protected] (@sindresorhus)
• eb19a9691 [email protected] (@zkat)
• 91d5dca96 [email protected] (@iarna)
• 8de66c46e [email protected] (@zkat)
• cfbc3ea69 [email protected] (@rvagg)
• 60c228160 [email protected] (@sindresorhus)
• 72cad8c66 [email protected] (@iarna)

A very quick, record time, patch release, of a bug fix to a (sigh) last minute bug fix.

• e628e058b Fix login to properly recognize OTP request and store bearer tokens. ([@Rebecca Turner](https://github.com/Rebecca Turner))

Hey y'all, this is a big new feature release! We've got some security related goodies plus a some quality-of-life improvements for anyone who uses the public registry (so, virtually everyone).

The changes largely came together in one piece, so I'm just gonna leave the commit line here:

• f6ebf5e8b f97ad6a38 f644018e6 8af91528c 346a34260 Two factor authentication, profile editing and token management. (@iarna)

TWO FACTOR AUTHENTICATION

You can now enable two-factor authentication for your npm account. You can even do it from the CLI. In fact, you have to, for the time being:

npm profile enable-tfa

With the default two-factor authentication mode you'll be prompted to enter a one-time password when logging in, when publishing and when modifying access rights to your modules.

TOKEN MANAGEMENT

You can now create, list and delete authentication tokens from the comfort of the command line. Authentication tokens created this way can have NEW restrictions placed on them. For instance, you can create a read-only token to give to your CI. It will be able to download your private modules but it won't be able to publish or modify modules. You can also create tokens that can only be used from certain network addresses. This way you can lock down access to your corporate VPN or other trusted machines.

Deleting tokens isn't new, you could do it via the website but now you can do it via the CLI as well.

CHANGE YOUR PASSWORD, SET YOUR EMAIL

You can finally change your password from the CLI with npm profile set password! You can also update your email address with npm profile set email <address>. If you change your email address we'll send you a new verification email so you verify that its yours.

AND EVERYTHING ELSE ON YOUR PROFILE

You can also update all of the other attributes of your profile that previously you could only update via the website: fullname, homepage, freenode, twitter and github.

AVAILABLE STAND ALONE

All of these features were implemented in a stand alone library, so if you have use for them in your own project you can find them in npm-profile on the registry. There's also a little mini-cli written just for it at npm-profile-cli. You might also be interested in the API documentation for these new features: user profile editing and authentication.

BUG FIXES

• 5ee55dc71 install.sh: Drop support for upgrading from npm@1 as npm@5 can't run on any Node.js version that ships npm@1. This fixes an issue some folks were seeing when trying to upgrade using curl | http://npmjs.com/install.sh. (@iarna)
• 5cad1699a [email protected] Fix a bug where when more than one lifecycle script got queued to run, npm would crash. (@zkat)
• cd256cbb2 [email protected] Fix a bug where test directories would always be excluded from published modules. (@isaacs)
• 2a11f0215 Fix formatting of unsupported version warning (@iarna)

DEPENDENCY UPDATES

• 6d2a285a5 [email protected]
• 69e64e27b [email protected]
• 34e0f4209 [email protected]
• 10d31739d [email protected]
• 2b02e86c0 [email protected]
• b81fff808 [email protected]: Fixes a long standing bug in rimraf's attempts to work around Windows limitations where it owns a file and can change its perms but can't remove it without first changing its perms. This may be an improvement for Windows users of npm under some circumstances. (@isaacs)

This is a small bug fix release wrapping up most of the issues introduced with 5.4.0.

Bugs

• 0b28ac72d #18458 Fix a bug on Windows where rolling back of failed optional dependencies would fail. (@marcins)
• 3a1b29991 [email protected] Revert update of write-file-atomic. There were changes made to it that were resulting in EACCES errors for many users. (@iarna)
• cd8687e12 Fix a bug where if npm decided it needed to move a module during an upgrade it would strip out much of the package.json. This would result in broken trees after package updates.
• 5bd0244ee #18385 Fix npm outdated when run on non-registry dependencies. (@joshclow) (@iarna)

Ux

• 339f17b1e Report unsupported node versions with greater granularity. (@iarna)

Docs

• b2ab6f43b #18397 Document that the default loglevel with npm@5 is notice. (@KenanY)
• e5aedcd82 #18372 In npm-config documentation, note that env vars use _ in place of -. (@jakubholynet)

This is a very small bug fix release to fix a problem where permissions on installed binaries were being set incorrectly.

• 767ff6eee zkat/pacote#117 #18324 [email protected] (@zkat)

Here's another ~~small~~ big release, with a ~~handful~~ bunch of fixes and a couple of ~~small~~ new features! This release has been incubating rather longer than usual and it's grown quite a bit in that time. I'm also excited to say that it has contributions from 27 different folks, which is a new record for us. Our previous record was 5.1.0 at 21. Before that the record had been held by 1.3.16 since December of 2013.

If you can't get enough of the bleeding edge, I encourage you to check out our canary release of npm. Get it with npm install -g npmc. It's going to be seeing some exciting stuff in the next couple of weeks, starting with a rewriten npm dedupe, but moving on to… well, you'll just have to wait and find out.

PERFORMANCE

• d080379f6 [email protected] Updates extract to use tar@4, which is much faster than the older tar@2. It reduces install times by as much as 10%. (@zkat)
• 4cd6a1774 0195c0a8c #16804 [email protected] Update publish to use tar@4. tar@4 brings many advantages over tar@2: It's faster, better tested and easier to work with. It also produces exactly the same byte-for-byte output when producing tarballs from the same set of files. This will have some nice carry on effects for things like caching builds from git. And finally, last but certainly not least, upgrading to it also let's us finally eliminate fstream—if you know what that is you'll know why we're so relieved. (@isaacs)

FEATURES

• 1ac470dd2 #10382 If you make a typo when writing a command now, npm will print a brief "did you mean..." message with some possible alternatives to what you meant. (@watilde)
• 20c46228d #12356 When running lifecycle scripts, INIT_CWD will now contain the original working directory that npm was executed from. Remember that you can use npm run-script even if you're not inside your package root directory! (@MichaelQQ)
• be91e1726 4e7c41f4a [email protected]: Fixes a number of issues on Windows and adds support for several more languages: Korean, Norwegian (bokmål and nynorsk), Ukrainian, Serbian, Bahasa Indonesia, Polish, Dutch and Arabic. (@zkat)
• 2dec601c6 #17142 Add the new commit-hooks option to npm version so that you can disable commit hooks when committing the version bump. (@faazshift)
• bde151902 #14461 Make output from npm ping clear as to its success or failure. (@legodude17)

BUGFIXES

• b6d5549d2 #17844 Make package-lock.json sorting locale-agnostic. Previously, sorting would vary by locale, due to using localeCompare for key sorting. This'll give you a little package-lock.json churn as it reshuffles things, sorry! (@LotharSee)
• 44b98b9dd #17919 Fix a crash where npm prune --production would fail while removing .bin. (@fasterthanlime)
• c3d1d3ba8 #17816 Fail more smoothly when attempting to install an invalid package name. (@SamuelMarks)
• 55ac2fca8 #12784 Guard against stack overflows when marking packages as failed. (@vtravieso)
• 597cc0e4b #15087 Stop outputting progressbars or using color on dumb terminals. (@iarna)
• 7a7710ba7 #15088 Don't exclude modules that are both dev & prod when using npm ls --production. (@iarna)
• 867df2b02 #18164 Only do multiple procs on OSX for now. We've seen a handful of issues relating to this in Docker and in on Windows with antivirus. (@zkat)
• 23540af7b #18117 Some package managers would write spaces to the _from field in package.json's in the form of name @spec. This was causing npm to fail to interpret them. We now handle that correctly and doubly make sure we don't do that ourselves. (@IgorNadj)
• 0ef320cb4 #16634 Convert any bin script with a shbang a the start to Unix line-endings. (These sorts of scripts are not compatible with Windows line-endings even on Windows.) (@ScottFreeCode)
• 71191ca22 #16476 [email protected] Running an install with --ignore-scripts was resulting in the the package object being mutated to have the lifecycle scripts removed from it and that in turn was being written out to disk, causing further problems. This fixes that: No more mutation, no more unexpected changes. (@addaleax)
• 459fa9d51 npm/read-package-json#74 #17802 [email protected] Use unix-style slashes for generated bin entries, which lets them be cross platform even when produced on Windows. (@iarna)
• 5ec72ab5b #18229 Make install.sh find nodejs on debian. (@cebe)

DOCUMENTATION

• b019680db #10846 Remind users that they have to install missing peerDependencies manually. (@ryanflorence)
• 3aee5986a #17898 Minor punctuation fixes to the README. (@AndersDJohnson)
• e0d0a7e1d #17832 Fix grammar, format, and spelling in documentation for run-script. (@simonua)
• 3fd6a5f2f #17897 Add more info about using files with npm pack/npm publish. (@davidjgoss)
• f00cdc6eb #17785 Add a note about filenames for certificates on Windows, which use a different extension and file type. (@lgp1985)
• 0cea6f974 #18022 Clarify usage for the files field in package.json. (@xcambar)
• a0fdd1571 #15234 Clarify the behavior of the files array in the package-json docs. (@jbcpollak)
• cecd6aa5d #18137 Clarify interaction between npmignore and files in package.json. (@supertong)
• 6b8972039 #18044 Corrected the typo in package-locks docs. (@vikramnr)
• 6e012924f #17667 Fix description of package.json in npm-scripts docs. (@tripu)

POSSIBLY INTERESTING DEPENDENCY UPDATES

• 48d84171a f60b05d63 [email protected] Perf improvements. (@zkat)
• f4650b5d4 [email protected]: Serialize writes to the same file so that results are deterministic. Cleanup tempfiles when process is interrupted or killed. (@ferm10n) (@iarna)

CHORES

• 96d78df98 80e2f4960 4f49f687b 07d2296b1 a267ab430 #18176 #18025 Move the lifecycle code out of npm into a separate library, npm-lifecycle. Shh, I didn't tell you this, but this portends to some pretty cool stuff to come very soon now. (@mikesherov)
• 0933c7eaf #18025 Force Travis to use Precise instead of Trusty. We have issues with our couchdb setup and Trusty. =/ (@mikesherov)
• afb086230 #18138 Fix typos in files-and-ignores test. (@supertong)
• 3e6d11cde #18175 Update dependencies to eliminate transitive dependencies with the WTFPL license, which some more serious corporate lawyery types aren't super comfortable with. (@zkat)
• ee4c9bd8a #16474 The tests in test/tap/lifecycle-signal.js, as well as the features they are testing, are partially broken. This moves them from being skipped in CI to being disabled only for certain platforms. In particular, because npm spawns its lifecycle scripts in a shell, signals are not necessarily forwarded by the shell and won’t cause scripts to exit; also, shells may report the signal they receive using their exit status, rather than terminating themselves with a signal. (@addaleax)
• 9462e5d9c #16547 Remove unused file: bin/read-package-json.js (@metux)
• 0756d687d #16550 The build tools for the documentation need to be built/installed before the documents, even with parallel builds. Make has a simple mechanism which was made exactly for that: target dependencies. (@metux)

As mentioned before, we're continuing to do relatively rapid, smaller releases as we keep working on stomping out npm@5 issues! We've made a lot of progress since 5.0 already, and this release is no exception.

FEATURES

• 1e3a46944 #17616 Add --link filter option to npm ls. (@richardsimko)
• 33df0aaa [email protected] (@zkat):
  • 4 new languages - Czech, Italian, Turkish, and Chinese (Traditional)! This means npx is available in 14 different languages!
  • New --node-arg option lets you pass CLI arguments directly to node when the target binary is found to be a Node.js script.

BUGFIXES

• 33df0aaa [email protected] (@zkat):
  • npx should now work on (most) Windows installs. A couple of issues remain.
  • Prevent auto-fallback from going into an infinite loop when npx disappears.
  • npx npx npx npx npx npx npx npx works again.
  • update-notifier will no longer run for the npx bundled with npm.
  • npx <cmd> in a subdirectory of your project should be able to find your node_modules/.bin now. Oops
• 8e979bf80 Revert change where npm stopped flattening modules that required peerDeps. This caused problems because folks were using peer deps to indicate that the target of the peer dep needed to be able to require the dependency and had been relying on the fact that peer deps didn't change the shape of the tree (as of npm@3). The fix that will actually work for people is for a peer dep to insist on never being installed deeper than the the thing it relies on. At the moment this is tricky because the thing the peer dep relies on may not yet have been added to the tree, so we don't know where it is. (@iarna)
• 7f28a77f3 #17733 Split remove and unbuild actions into two to get uninstall lifecycles and the removal of transitive symlinks during uninstallation to run in the right order. (@iarna)
• 637f2548f #17748 When rolling back use symlink project-relative path, fixing some issues with fs-vacuum getting confused while removing symlinked things. (@iarna)
• f153b5b22 #17706 Use semver to compare node versions in npm doctor instead of plain > comparison. (@leo-shopify)
• 542f7561 #17742 Fix issue where npm version would sometimes not commit package-locks. (@markpeterfejes)
• 51a9e63d #17777 Fix bug exposed by other bugfixes where the wrong package would be removed. (@iarna)

DOCUMENTATION

Have we mentioned we really like documentation patches? Keep sending them in! Small patches are just fine, and they're a great way to get started contributing to npm!

• fb42d55a9 #17728 Document semver git urls in package.json docs. (@sankethkatta)
• f398c700f #17684 Tweak heading hierarchy in package.json docs. (@sonicdoe)
• d5ad65e50 #17691 Explicitly document --no-save flag for uninstall. (@timneedham)

It's only been a couple of days but we've got some bug fixes we wanted to get out to you all. We also believe that npx is ready to be bundled with npm, which we're really excited about!

npx!!!

npx is a tool intended to help round out the experience of using packages from the npm registry — the same way npm makes it super easy to install and manage dependencies hosted on the registry, npx is meant to make it easy to use CLI tools and other executables hosted on the registry. It greatly simplifies a number of things that, until now, required a bit of ceremony to do with plain npm.

@zkat has a great introduction post to npx that I highly recommend you give a read

• fb040bee0 #17685 Bundle npx with npm itself. (@zkat)

BUG FIXES

• 9fe905c39 #17652 Fix max callstack exceeded loops with trees with circular links. (@iarna)
• c0a289b1b #17606 Make sure that when write package.json and package-lock.json we always use unix path separators. (@Standard8)
• 1658b79ca #17654 Make npm outdated show results for globals again. Previously it never thought they were out of date. (@iarna)
• 06c154fd6 #17678 Stop flattening modules that have peer dependencies. We're making this change to support scenarios where the module requiring a peer dependency is flattened but the peer dependency itself is not, due to conflicts. In those cases the module requiring the peer dep can't be flattened past the location its peer dep was placed in. This initial fix is naive, never flattening peer deps, and we can look into doing something more sophisticated later on. (@iarna)
• 88aafee8b #17677 There was an issue where updating a flattened dependency would sometimes unflatten it. This only happened when the dependency had dependencies that in turn required the original dependency. (@iarna)
• b58ec8eab #17626 Integrators who were building their own copies of npm ran into issues because make install and https://npmjs.com/install.sh weren't aware that npm install creates links now when given a directory to work on. This does not impact folks installing npm with npm install -g npm. (@iarna)

DOC FIXES

• 10bef735e #17645 Fix some github issue links in the 5.1.0 changelog (@schmod)
• 85fa9dcb2 #17634 Fix typo in package-lock docs. (@sonicdoe)
• 688699bef #17628 Recommend that folks looking for support join us on https://package.community/ or message @npm_support on Twitter. (@strugee)

Hey y'all~

We've got some goodies for you here, including npm@5's first semver-minor release! This version includes a huge number of fixes, particularly for some of the critical bugs users were running into after upgrading npm. You should overall see a much more stable experience, and we're going to continue hacking on fixes for the time being. Semver-major releases, specially for tools like npm, are bound to cause some instability, and getting npm@5 stable is the CLI team's top priority for now!

Not that bugfixes are the only things that landed, either: between improvements that fell out of the bugfixes, and some really cool work by community members like @mikesherov, [email protected] is twice as fast as [email protected] in some benchmarks. We're not stopping there, either: you can expect a steady stream of speed improvements over the course of the year. It's not top priority, but we'll keep doing what we can to make sure npm saves its users as much time as possible.

Hang on to your seats. At 100 commits, this release is a bit of a doozy. 😎

FEATURES

Semver-minor releases, of course, mean that there's a new feature somewhere, right? Here's what's bumping that number for us this time:

• a09c1a69d #16687 Allow customizing the shell used to execute run-scripts. (@mmkal)
• 4f45ba222 a48958598 901bef0e1 #17508 Add a new requires field to package-lock.json with information about the logical dependency tree. This includes references to the specific version each package is intended to see, and can be used for many things, such as converting package-lock.json to other lockfile formats, various optimizations, and verifying correctness of a package tree. (@iarna)
• 47e8fc8eb #17508 Make npm ls take package locks (and shrinkwraps) into account. This means npm ls can now be used to see which dependencies are missing, so long as a package lock has been previously generated with it in. (@iarna)
• f0075e7ca #17508 Take package.json changes into account when running installs -- if you remove or add a dependency to package.json manually, npm will now pick that up and update your tree and package lock accordingly. (@iarna)
• 83a5455aa #17205 Add npm udpate as an alias for npm update, for symmetry with install/isntall. (@gdassori)
• 57225d394 #17120 npm will no longer warn about preferGlobal, and the option is now deprecated. (@zkat)
• 82df7bb16 #17351 As some of you may already know npm build doesn't do what a lot of people expect: It's mainly an npm plumbing command, and is part of the more familiar npm rebuild command. That said, a lot of users assume that this is the way to run an npm run-script named build, which is an incredibly common script name to use. To clarify things for users, and encourage them to use npm run build instead, npm will now warn if npm build is run without any arguments. (@lennym)

PERFORMANCE

• 59f86ef90 43be9d222 e906cdd98 #16633 npm now parallelizes tarball extraction across multiple child process workers. This can significantly speed up installations, specially when installing from cache, and will improve with number of processors. (@zkat)
• e0849878d #17441 Avoid building environment for empty lifecycle scripts. This change alone accounted for as much as a 15% speed boost for npm installations by outright skipping entire steps of the installer when not needed. (@mikesherov)
• 265c2544c npm/hosted-git-info#24 [email protected]: Add caching to fromURL, which gets called many, many times by the installer. This improved installation performance by around 10% on realistic application repositories. (@mikesherov)
• 901d26cb npm/read-package-json#20 [email protected]: Speed up installs by as much as 20% by reintroducing a previously-removed cache and making it actually be correct this time around. (@mikesherov)
• 44e37045d Eliminate Bluebird.promisifyAll from our codebase. (@iarna)
• 3b4681b53 #17508 Stop calling addBundle on locked deps, speeding up the package-lock.json-based fast path. (@iarna)

BUGFIXES

• #17508 This is a big PR that fixes a variety of issues when installing from package locks. If you were previously having issues with missing dependencies or unwanted removals, this might have fixed it (@iarna):
  • It introduces a new package-lock.json field, called requires, which tracks which modules a given module requires.
  • It fixes #16839 which was caused by not having this information available, particularly when git dependencies were involved.
  • It fixes #16866, allowing the package.json to trump the package-lock.json.
  • npm ls now loads the shrinkwrap, which opens the door to showing a full tree of dependencies even when nothing is yet installed. (It doesn't do that yet though.)
• 656544c31 d21ab57c3 #16637 Fix some cases where npm prune was leaving some dependencies unpruned if to-be-pruned dependencies depended on them. (@exogen)
• 394436b09 #17552 Make refresh-package-json re-verify the package platform. This fixes an issue most notably experienced by Windows users using create-react-app where fsevents would not short-circuit and cause a crash during its otherwise-skipped native build phase. (@zkat)
• 9e5a94354 #17590 Fix an issue where npm@5 would crash when trying to remove packages installed with npm@<5. (@iarna)
• c3b586aaf #17141 Don't update the package.json when modifying packages that don't go there. This was previously causing package.json to get a "false": {} field added. (@iarna)
• d04a23de2 4a5b360d5 d9e53db48 [email protected] (@colinrotherham, @zkat, @mcibique):
  • zkat/pacote#102 Fix issue with tar extraction and special characters.
  • Enable loose semver parsing in some missing corner cases.
• e2f815f87 #17104 Write an empty str and wait for flush to exit to reduce issues with npm exiting before all output is complete when it's a child process. (@zkat)
• 835fcec60 #17060 Make git repos with prepare scripts always install with both dev and prod flags. (@intellix)
• f1dc8a175 #16879 Fix support for always-auth and _auth. They are now both available in both unscoped and registry-scoped configurations. (@jozemlakar)
• ddd8a1ca2 Serialize package specs to prevent [object Object] showing up in logs during extraction. (@zkat)
• 99ef3b52c #17505 Stop trying to commit updated npm-shrinkwrap.json and package-lock.json if they're .gitignored. (@zkat)
• 58be2ec59 Make sure uid and gid are getting correctly set even when they're 0. This should fix some Docker-related issues with bad permissions/broken ownership. (@rgrove) (@zkat)
• 9d1e3b6fa #17506 Skip writing package.json and locks if on-disk version is identical to the new one. (@zkat)
• 3fc6477a8 #17592 Fix an issue where npm install -g . on a package with no name field would cause the entire global node_modules directory to be replaced with a symlink to $CWD. lol. (@iarna)
• 06ba0a14a #17591 Fix spurious removal reporting: if you tried to remove something that didn't actually exist, npm would tell you it removed 1 package even though there wasothing to do. (@iarna)
• 20ff05f8 #17629 When removing a link, keep dependencies installed inside of it instead of removing them, if the link is outside the scope of the current project. This fixes an issue where removing globally-linked packages would remove all their dependencies in the source directory, as well as some ergonomic issues when using links in other situations. (@iarna)

DOCS

• fd5fab595 #16441 Add spec for npm-shrinkwrap.json and package-lock.json from RFC. (@iarna)
• 9589c1ccb #17451 Fix typo in changelog. (@watilde)
• f8e76d856 #17370 Correct the default prefix config path for Windows operating systems in the documentation for npm folders. (@kierendixon)
• d0f3b5a12 #17369 Fix npm-config reference to userconfig & globalconfig environment variables. (@racztiborzoltan)
• 87629880a #17336 Remove note in docs about prepublish being entirely removed. (@Hirse)
• a1058afd9 #17169 Document --no-package-lock flag. (@leggsimon)
• 32fc6e41a #17250 Fix a typo in the shrinkwrap docs. (@Zarel)
• f19bd3c8c #17249 Fix a package-lock.json cross-reference link. (@not-an-aardvark)
• 153245edc #17075 Fix a typo in npm-config docs. (@KennethKinLum)
• c9b534a14 #17074 Clarify config documention with multiple boolean flags. (@KennethKinLum)
• e111b0a40 #16768 Document the -l option to npm config list. (@happylynx)
• 5a803ebad #16548 Fix permissions for documentation files. Some of them had +x set. (???) (@metux)
• d57d4f48c #17319 Document that the --silent option for npm run-script can be used to suppress npm ERR! output on errors. (@styfle)

MISC

Not all contributions need to be visible features, docs, or bugfixes! It's super helpful when community members go over our code and help clean it up, too!

• 9e5b76140 #17411 Convert all callback-style move usage to use Promises. (@vramana)
• 0711c08f7 #17394 Remove unused argument in deepSortObject. (@vramana)
• 7d650048c #17563 Refactor some code to use Object.assign. (@vramana)
• 993f673f0 #17600 Remove an old comment. (@vramana)

Hey y'all. This is another minor patch release with a variety of little fixes we've been accumulating~

• f0a37ace9 Fix npm doctor when hitting registries without ping. (@zkat)
• 64f0105e8 Fix invalid format error when setting cache-related headers. ([@Kat Marchán](https://github.com/Kat Marchán))
• d2969c80e Fix spurious EINTEGRITY issue. (@zkat)
• 800cb2b4e #17076 Use legacy from field to improve upgrade experience from legacy shrinkwraps and installs. (@zkat)
• 4100d47ea #17007 Restore loose semver parsing to match older npm behavior when running into invalid semver ranges in dependencies. (@zkat)
• 35316cce2 #17005 Emulate npm@4's behavior of simply marking the peerDep as invalid, instead of crashing. (@zkat)
• e7e8ee5c5 #16937 Workaround for separate bug where requested was somehow null. (@forivall)
• 2d9629bb2 Better logging output for git errors. (@zkat)
• 2235aea73 More scp-url fixes: parsing only worked correctly when a committish was present. (@zkat)
• 80c33cf5e Standardize package permissions on tarball extraction, instead of using perms from the tarball. This matches previous npm behavior and fixes a number of incompatibilities in the wild. (@zkat)
• 2b1e40efb Limit shallow cloning to hosts which are known to support it. (@zkat)

Happy Monday, y'all! We've got another npm release for you with the fruits of our ongoing bugsquashing efforts. You can expect at least one more this week, but probably more -- and as we announced last week, we'll be merging fixes more rapidly into the npmc canary so you can get everything as soon as possible!

Hope y'all are enjoying npm5 in the meantime, and don't hesitate to file issues for anything you find! The goal is to get this release rock-solid as soon as we can. 💚

• 6e12a5cc0 Bump several dependencies to get improvements and bugfixes:
  • cacache: content files (the tarballs) are now read-only.
  • pacote: fix failing clones with bad heads, send extra TLS-related opts to proxy, enable global auth configurations and _auth-based auth.
  • ssri: stop crashing with can't call method find of undefined when running into a weird opts.integrity/opts.algorithms conflict during verification. (@zkat)
• 89cc8e3e1 #16917 Send ca, cert and key config through to network layer. (@colinrotherham)
• 6a9b51c67 #16929 Send npm-session header value with registry requests again. (@zarenner)
• 662a15ab7 Fix npm doctor so it stop complaining about read-only content files in the cache. (@zkat)
• 191d10a66 #16918 Clarify prepublish deprecation message. (@Hirse)

v5.0.2 (2017-06-02)

Here's another patch release, soon after the other!

This particular release includes a slew of fixes to npm's git support, which was causing some issues for a chunk of people, specially those who were using self-hosted/Enterprise repos. All of those should be back in working condition now.

There's another shiny thing you might wanna know about: npm has a Canary release now! The npm5 experiment we did during our beta proved to be incredibly successful: users were able to have a tight feedback loop between reports and getting the bugfixes they needed, and the CLI team was able to roll out experimental patches and have the community try them out right away. So we want to keep doing that.

From now on, you'll be able to install the 'npm canary' with npm i -g npmc. This release will be a separate binary (npmc. Because canary. Get it?), which will update independently of the main CLI. Most of the time, this will track release-next or something close to it. We might occasionally toss experimental branches in there to see if our more adventurous users run into anything interesting with it. For example, the current canary ([email protected]) includes an experimental multiproc branch that parallelizes tarball extraction across multiple processes.

If you find any issues while running the canary version, please report them and let us know it came from npmc! It would be tremendously helpful, and finding things early is a huge reason to have it there. Happy hacking!

A NOTE ABOUT THE ISSUE TRACKER

Just a heads up: We're preparing to do a massive cleanup of the issue tracker. It's been a long time since it was something we could really keep up with, and we didn't have a process for dealing with it that could actually be sustainable.

We're still sussing the details out, and we'll talk about it more when we're about to do it, but the plan is essentially to close old, abandoned issues and start over. We will also add some automation around issue management so that things that we can't keep up with don't just stay around forever.

Stay tuned!

GIT YOLO

• 1f26e9567 [email protected]: Fixes installing committishes that look like semver, even though they're not using the required #semver: syntax. (@zkat)
• 85ea1e0b9 [email protected]: This includes the npa git-parsing patch to make it so non-hosted SCP-style identifiers are correctly handled. Previously, npa would mangle them (even though hosted-git-info is doing the right thing for them). (@zkat)

COOL NEW OUTPUT

The new summary output has been really well received! One downside that reared its head as more people used it, though, is that it doesn't really tell you anything about the toplevel versions it installed. So, if you did npm i -g foo, it would just say "added 1 package". This patch by @rmg keeps things concise while still telling you what you got! So now, you'll see something like this:

$ npm i -g foo bar
+ [email protected]
+ [email protected]
added 234 packages in .005ms

• 362f9fd5b #16899 For every package that is given as an argument to install, print the name and version that was actually installed. (@rmg)

OTHER BUGFIXES

• a47593a98 #16835 Fix a crash while installing with --no-shrinkwrap. (@jacknagel)

DOC UPATES

• 89e0cb816 #16818 Fixes a spelling error in the docs. Because the CLI team has trouble spelling "package", I guess. (@ankon)
• c01fbc46e #16895 Remove --save from npm init instructions, since it's now the default. (@jhwohlgemuth)
• 80c42d218 Guard against cycles when inflating bundles, as symlinks are bundles now. (@iarna)
• 7fe7f8665 #16674 Write the builtin config for npmc, not just npm. This is hardcoded for npm self-installations and is needed for Canary to work right. (@zkat)

DEP UPDATES

• 63df4fcdd #16894 [email protected]: Fixes an issue parsing SDK versions on Windows, among other things. (@refack)
• 5bb15c3c4 [email protected]: Fixes some racyness while reading the tree. (@iarna)
• a6f7a52e7 [email protected]: Remove nested function declaration for speed up (@mikesherov)