The npm blog has been discontinued.
Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog.
v6.1.0-next.0
Look at that! A feature bump! npm@6
was super-exciting not just because it used a bigger number than ever before, but also because it included a super shiny new command: npm audit
. Well, we’ve kept working on it since then and have some really nice improvements for it. You can expect more of them, and the occasional fix, in the next few releases as more users start playing with it and we get more feedback about what y'all would like to see from something like this.
I, for one, have started running it (and the new subcommand…) in all my projects, and it’s one of those things that I don’t know how I ever functioned without it! This will make a world of difference to so many people as far as making the npm ecosystem a higher-quality, safer commons for all of us.
This is also a good time to remind y'all that we have a new RFCs repository, along with a new process for them. This repo is open to anyone’s RFCs, and has already received some great ideas about where we can take the CLI (and, to a certain extent, the registry). It’s a great place to get feedback, and completely replaces feature requests in the main repo, so we won’t be accepting feature requests there at all anymore. Check it out if you have something you’d like to suggest, or if you want to keep track of what the future might look like!
NEW FEATURE: npm audit fix
This is the biggie with this release! npm audit fix
does exactly what it says on the tin. It takes all the actionable reports from your npm audit
and runs the installs automatically for you, so you don’t have to try to do all that mechanical work yourself!
Note that by default, npm audit fix
will stick to semver-compatible changes, so you should be able to safely run it on most projects and carry on with your day without having to track down what breaking changes were included. If you want your (toplevel) dependencies to accept semver-major bumps as well, you can use npm audit fix --force
and it’ll toss those in, as well. Since it’s running the npm installer under the hood, it also supports --production
and --only=dev
flags, as well as things like --dry-run
, --json
, and --package-lock-only
, if you want more control over what it does.
Give it a whirl and tell us what you think! See npm help audit
for full docs!
OTHER NEW audit
FEATURES
1854b1c7f
#20568 Add support fornpm audit --json
to print the report in JSON format. (@finnp)85b86169d
#20570 Include number of audited packages innpm install
summary output. (@zkat)957cbe275
npm-audit-report@1.2.1
: Overhaul audit install and detail output format. The new format is terser and fits more closely into the visual style of the CLI, while still providing you with the important bits of information you need. They also include a bit more detail on the footer about what actions you can take! (@zkat)
NEW FEATURE: GIT DEPS AND npm init <pkg>
!
Another exciting change that came with npm@6
was the new npm init
command that allows for community-authored generators. That means you can, for example, do npm init react-app
and it’ll one-off download, install, and run create-react-app
for you, without requiring or keeping around any global installs. That is, it basically just calls out to npx
.
The first version of this command only really supported registry dependencies, but now, @jdalton went ahead and extended this feature so you can use hosted git dependencies, and their shorthands.
So go ahead and do npm init facebook/create-react-app
and it’ll grab the package from the github repo now! Or you can use it with a private github repository to maintain your organizational scaffolding tools or whatnot. ✨
BUGFIXES
a41c0393c
#20538 Make the newnpm view
work when the license field is an object instead of a string. (@zkat)eb7522073
#20582 Add support for environments (like Docker) where the expected binary for opening external URLs is not available. (@bcoe)212266529
#20536 Fix a spurious colon in the new update notifier message and add support for the npm canary. (@zkat)5ee1384d0
#20597 Infer a version range when apackage.json
has a dist-tag instead of a version range in one of its dependency specs. Previously, this would cause dependencies to be flagged as invalid. (@zkat)4fa68ae41
#20585 Make sure scoped bundled deps are shown in the new publish preview, too. (@zkat)1f3ee6b7e
cacache@11.0.2
: Stop droppingsize
from metadata onnpm cache verify
. (@jfmartinez)91ef93691
#20513 Fix nested command aliases. (@mmermerkaya)18b2b3cf7
npm-lifecycle@2.0.3
: Make sure different versions of thePath
env var on Windows all getnode_modules/.bin
prepended when running lifecycle scripts. (@laggingreflex)
DOCUMENTATION
a91d87072
#20550 Update required node versions in README. (@legodude17)bf3cfa7b8
Pull in changelogs from the lastnpm@5
release. (@iarna)b2f14b14c
#20629 Make tone inpublishConfig
docs more neutral. (@jeremyckahn)