the npm blog
Blog about npm things.
-
v5.6.0 (2017-11-27)
Features!
You may have noticed this is a semver-minor bump. Wondering why? This is why!
bc263c3fd#19054 Fully cross-platformpackage-lock.json. Installing a failing optional dependency on one platform no longer removes it from the dependency tree, meaning thatpackage-lock.jsonshould now be generated consistently across platforms! 🎉 (@iarna)f94fcbc50#19160 Add--package-lock-onlyconfig option. This makes it so you can generate a targetpackage-lock.jsonwithout performing a full install ofnode_modules. (@alopezsanchez)66d18280c#19104 Add new--node-optionsconfig to pass through a customNODE_OPTIONSfor lifecycle scripts. (@bmeck)114d518c7Ignore mtime when packing tarballs: This means that doingnpm packon the same repository should yield two tarballs with the same checksum. This will also help prevent cache bloat when using git dependencies. In the future, this will allow npm to explicitly cache git dependencies. (@isaacs)
Node 9
Previously, it turns out npm broke on the latest Node,
node@9. We went ahead and fixed it up so y'all should be able to use the latest npm again!4ca695819minizlib@1.0.4:Fix node@9incompatibility. (@isaacs)c851bb503tar@4.0.2: Fixnode@9incompatibility. (@isaacs)6caf23096Remove “unsupported” warning for Node 9 now that things are fixed. (@iarna)1930b0f8cUpdate test matrix withnode@8LTS andnode@9. (@iarna)
Bug Fixes
b70321733#18881 When dealing with anode_modulesthat was created with older versions of npm (and thus older versions of npa) we need to gracefully handle older spec entries. Failing to do so results in us treating those packages as if they were http remote deps, which results in invalid lock files withversionset to tarball URLs. This should now be fixed. (@iarna)2f9c5dd00#18880 Stop overwriting version in package data on disk. This is another safeguard against the version overwriting that’s plagued some folks upgrading from older package-locks. (@iarna) (@joshclow)a93e0a51d#18846 Correctly save transitive dependencies when usingnpm updateinpackage-lock.json. (@iarna)fdde7b649#18825 Fix typo and concatenation in error handling. (@alulsh)be67de7b9#18711 Upgrade to bearer tokens from legacy auth when enabling 2FA. (@iarna)bfdf0fd39#19033 Fix issue where files with@signs in their names would not get included when packing tarballs. (@zkat)b65b89bde#19048 Fix problem wherenpm loginwas ignoring various networking-related options, such as custom certs. (@wejendorp)8c194b86enpm-packlist@1.1.10: Includenode_modules/directories not in the root. (@isaacs)d7ef6a20blibnpx@9.7.1: Fix some *nix binary path escaping issues. (@zkat)981828466cacache@10.0.1: Fix fallback tocopy-concurrentlywhen file move fails. This might fix permissions and such issues on platforms that were getting weird filesystem errors during install. (@karolba)a0be6bafbpacote@7.0.2: Includes a bunch of fixes, specially for issues around git dependencies. Shasum-related errors should be way less common now, too. (@zkat)b80d650de#19163 Fix a number of git and tarball specs and checksum errors. (@zkat)cac225025#19054 Don’t count failed optionals when summarizing installed packages. (@iarna)
UX
b1ec2885c#18326 Stop truncating output ofnpm view. This means, for example, that you no longer need to use--jsonwhen a package has a lot of versions, to see the whole list. (@SimenB)55a124e0a#18884 Profile UX improvements: better messaging on unexpected responses, and stop claiming we set passwords to null when resetting them. (@iarna)635481c61#18844 Improve error messaging for OTP/2FA. (@iarna)52b142ed5#19054 Stop running the same rollback multiple times. This should address issues where Windows users saw strange failures whenfseventsfailed to install. (@iarna)798428b0b#19172bin-links@1.1.0: Log the fact line endings are being changed upon install. (@marcosscriven)
Refactors
Usually, we don’t include internal refactor stuff in our release notes, but it’s worth calling out some of them because they’re part of a larger effort the CLI team and associates are undertaking to modularize npm itself so other package managers and associated tools can reuse all that code!
9d22c96b7#18500 Extract bin-links and gentle-fs to a separate library. This will allow external tools to do bin linking and certain fs operations in an npm-compatible way! (@mikesherov)015a7803b#18883 Capture logging from log events on the process global. This allows npm to use npmlog to report logging from external libraries likenpm-profile. (@iarna)c930e98adnpm-lifecycle@2.0.0: Use our ownnode-gyp. This means npm no longer needs to pull some maneuvers to make surenode-gypis in the right place, and that external packages usingnpm-lifecyclewill get working native builds without having to do their ownnode-gypmaneuvers. (@zkochan)876f0c8f3829893d61#19099find-npm-prefix@1.0.1: npm’s prefix-finding logic is now a standalone module. That is, the logic that figures out where the root of your project is if you’vecd’d into a subdirectory. Did you know you can runnpm installfrom these subdirectories, and it’ll only affect the root? It works like git! (@iarna)
Docs
7ae12b21c#18823 Fix spelling of the word authenticator. Because English is hard. (@tmcw)5dfc3ab7b#18742 Explicitly state ‘github:foo/bar’ as a valid shorthand for hosted git specs. (@felicio)a9dc098a6#18679 Add some documentation about thescript-shellconfig. (@gszabo)24d7734d1#18571 Changeverbotentoforbidden. (@devmount)a8a45668f#18568 Improve wording for the docs for the “engines” section of package.json files. (@apitman)dbc7e5b60#19118 Use valid JSON in example for bundledDependencies. (@charmander)779339485#19162 Remove trailing white space fromnpm accessdocs. (@WispProxy)
Dependency Bumps
0e7cac941bluebird@3.5.1(@petkaantonov)c4d5887d9update-notifier@2.3.0(@sindresorhus)eb19a9691npm-package-arg@6.0.0(@zkat)91d5dca96npm-profile@2.0.5(@iarna)8de66c46essri@5.0.0(@zkat)cfbc3ea69worker-farm@1.5.1(@rvagg)60c228160query-string@5.0.1(@sindresorhus)72cad8c66copy-concurrently@1.0.5(@iarna)
