The npm blog has been discontinued.
Hey y'all, it’s been a while. Expect our release rate to increase back to normal here, as we’ve got a lot in the pipeline. Right now we’ve got a bunch of things from folks at npm. In the next release we’ll be focusing on user contributions and there are a lot of them queued up!
This release brings a bunch of exciting new features and bug fixes.
PACKAGE-LOCK GIT MERGE CONFLICT RESOLUTION
npm install to fix
npm-shrinkwrap.json files that have merge conflicts in them without your having to edit them. It works in conjunction with
npm-merge-driver to entirely eliminate package-lock merge conflicts.
npm ci command installs from your lock-file ONLY. If your
package.json and your lock-file are out of sync then it will report an error.
It works by throwing away your
node_modules and recreating it from scratch.
Beyond guaranteeing you that you’ll only get what is in your lock-file it’s also much faster (2x-10x!) than
npm install when you don’t start with a
As you may take from the name, we expect it to be a big boon to continuous integration environments. We also expect that folks who do production deploys from git tags will see major gains.
OTHER NEW FEATURES
4d418c21b#19817 Include contributor count in installation summary. (@kemitchell)
17079c2a8Require password to change email through
npm profile. (@iarna)
4f5327c05#19780 Add support for web-based logins. This is not yet available on the registry, however. (@isaacs)
BIG FIXES TO PRUNING
npm install package-namewith a
node_modulescontaining packages without sufficient metadata to verify their origin. The only way to get install packages like this is to use a non-
npmpackage manager. Previously
npmremoved any packages that it couldn’t verify. Now it will leave them untouched as long as you’re not asking for a full install. On a full install they will be reinstalled (but the same versions will be maintained).
This will fix problems for folks who are using a third party package manager to install packages that have
postinstallscripts that run
npm install. (@iarna)
3b305ee71Only auto-prune on installs that will create a lock-file. This restores
npm@4compatible behavior when the lock-file is disabled. When using a lock-file
npmwill continue to remove anything in your
node_modulesthat’s not in your lock-file. (@iarna)
cec5be542Fix bug where
npm prune --productionwould remove dev deps from the lock file. It will now only remove them from
node_modulesnot from your lock file. (@iarna)
857dab03fFix bug where git dependencies would be removed or reinstalled when installing other dependencies. (@iarna)
BUG FIXES TO TOKENS AND PROFILES
a66e0cd03For CIDR filtered tokens, allow comma separated CIDR ranges, as documented. Previously you could only pass in multiple cidr ranges with multiple
--cidrcommand line options. (@iarna)
d259ab014Fix token revocation when an OTP is required. Previously you had to pass it in via
--otp. Now it will prompt you for an OTP like other
npm tokencommands. (@iarna)
f8b1f6aecUpdate token and profile commands to support legacy (username/password) authentication. (The npm registry uses tokens, not username/password pairs, to authenticate commands.) (@iarna)
OTHER BUG FIXES
6954dfc19Fix a bug where packages would get pushed deeper into the tree when upgrading without an existing copy on disk. Having packages deeper in the tree ordinarily is harmless but is not when peerDependencies are in play. (@iarna)
1ca916a1eFix bug where when switching from a linked module to a non-linked module, the dependencies of the module wouldn’t be installed on the first run of
npm install. (@iarna)
8c120ebb2Fix integrity matching to eliminate spurious EINTEGRITY errors. (@zkat)
94227e15eMore consistently make directories using perm and ownership preserving features. (@iarna)