The npm blog has been discontinued.
Hey y'all! Here’s another
npm@6 release – with
node@10 around the corner, this might well be the last prerelease before we tag
6.0.0! There’s two major features included with this release, along with a few miscellaneous fixes and changes.
npm init SCAFFOLDING
Thanks to the wonderful efforts of @jdalton of lodash fame,
npm init can now be used to invoke custom scaffolding tools!
You can now do things like
npm init react-app or
npm init esm to scaffold an npm package by running
create-esm, respectively. This also adds an
npm create alias, to correspond to Yarn’s
yarn create feature, which
833046e45#20303 Add an
npm initfeature that calls out to
npxwhen invoked with positional arguments. (@jdalton)
This version of npm adds a new command,
npm audit, which will run a security audit of your project’s dependency tree and notify you about any actions you may need to take.
The registry-side services required for this command to work will be available on the main npm registry in the coming weeks. Until then, you won’t get much out of trying to use this on the CLI.
As part of this change, the npm CLI now sends scrubbed and cryptographically anonymized metadata about your dependency tree to your configured registry, to allow notifying you about the existence of critical security flaws. For details about how the CLI protects your privacy when it shares this metadata, see
npm help audit, or read the docs for
npm audit online. You can disable this altogether by doing
npm config set audit false, but will no longer benefit from the service.
09c734803#20389 Add new
npm auditcommand. (@iarna)
be393a290#20389 Temporarily suppress git metadata till there’s an opt-in. (@iarna)
8e713344f#20389 Document the new command. (@iarna)
package-lock.json FORMAT CHANGES?!
fromfield back into package-lock for git dependencies. This will give npm the information it needs to figure out whether git deps are valid, specially when running with legacy install metadata or in
--package-lock-onlymode when there’s no
node_modules. This should help remove a significant amount of git-related churn on the lock-file. (@zkat)
npm it) will no longer generate
package-lock.jsonwhen running with
9c1eb945b#20390 Fix a scenario where a git dependency had a comittish associated with it that was not a complete commitid.
npmwould never consider that entry in the
package.jsonas matching the entry in the
package-lock.jsonand this resulted in inappropriate pruning or reinstallation of git dependencies. This has been addressed in two ways, first, the addition of the
fromfield as described in #20384 means we can exactly match the
package.json. Second, when that’s missing (when working with older
package-lock.jsonfiles), we assume that the match is ok. (If it’s not, we’ll fix it up when a real installation is done.) (@iarna)