A little release to tide you over while we hammer out the last bits for npm@5.
d13c9b2f2
init-package-json@1.10.0
:
The name:
prompt is now package name:
to make this less ambiguous for new users.The default package name is now a valid package name. For example: If your package directory has mixed case, the default package name will be all lower case.
f08c66323
#16213
Add --allow-same-version
option to npm version
so that you can use npm version
to run
your version lifecycles and tag your git repo without actually changing the version number in
your package.json
.
(@lucastheisen)f5e8becd0
Timing has been added throughout the install implementation. You can see it by running
a command with --loglevel=timing
. You can also run commands with --timing
which will write
an npm-debug.log
even on success and add an entry to _timing.json
in your cache with
the timing information from that run.
(@iarna)9c860f2ed
#16021
Fix a crash in npm doctor
when used with a registry that does not support
the ping
API endpoint.
(@watilde)65b9943e9
#16364
Shorten the ELIFECYCLE error message. The shorter error message should make it much
easier to discern the actual cause of the error.
(@j-f1)a87a4a835
npmlog@4.0.2
:
Fix flashing of the progress bar when your terminal is very narrow.
(@iarna)41c10974f
write-file-atomic@1.3.2
:
Wait for fsync
to complete before considering our file written to disk.
This will improve certain sorts of Windows diagnostic problems.2afa9240c
#16336
Don't ham-it-up when expecting JSON.
(@bdukes)566f3eebe
#16296
Use a single convention when referring to the <command>
you're running.
(@desfero)ccbb94934
#16267
Fix a missing space in the example package.json.
(@famousgarkin)ebde4ea33
hosted-git-info@2.4.2
c46ad71bb
init-package-json@1.9.6
d856d570d
npm-registry-client@8.1.1
4a2e14436
readable-stream@2.2.9
f0399138e
normalize-package-data@2.3.8
Welcome a wrinkle on npm's registry API!
Codename: Corgi
This release has some bug fixes, but it's mostly about bringing support for MUCH smaller package metadata. How much smaller? Well, for npm itself it reduces 416K of gzip compressed JSON to 24K.
As a user, all you have to do is update to get to use the new API. If you're interested in the details we've documented the changes in detail.
Package metadata: now smaller. This means a smaller cache and less to download.
86dad0d74
Add support for filtered package metadata.
(@iarna)41789cffa
npm-registry-client@8.1.0
(@iarna)Previously we needed to extract every package's tarball to look for an
npm-shrinkwrap.json
before we could begin working through what its
dependencies were. This was one of the things stopping npm's network
accesses from happening more concurrently. The new filtered package
metadata provides a new key, _hasShrinkwrap
. When that's set to false
then we know we don't have to look for one.
4f5060eb3
#15969
Add support for skipping npm-shrinkwrap.json
extraction when the
registry can affirm that one doesn't exist.
(@iarna)878aceb25
#16129
Better handle Ctrl-C while running scripts. npm
will now no longer exit
until the script it is running has exited. If you press Ctrl-C a second
time it kill the script rather than just forwarding the Ctrl-C.
(@jaridmargolin)def75eebf
hosted-git-info@2.4.1
:
Preserve case of the user name part of shortcut specifiers, previously they were lowercased.
(@iarna)eb3789fd1
node-gyp@3.6.0
: Add support for VS2017 and Chakracore improvements.
(@refack)
(@kunalspathak)245e25315
readable-stream@2.2.6
(@mcollina)30357ebc5
which@1.2.14
(@isaacs)😩😤😅 Okay! We have another next
release for ya today. So, yes! With v4.4.3 we fixed the bug that made
bundled scoped modules uninstallable. But somehow I overlooked the fact
that we: A) were using these and B) that made upgrading to v4.4.3 impossible. 😭
So I've renamed those two scoped modules to no longer use scopes and we now
have a shiny new test to ensure that scoped modules don't creep into our
transitive deps and make it impossible to upgrade to npm
.
(None of our woes applies to most of you all because most of you all don't
use bundled dependencies. npm
does because we want the published artifact to be
installable without having to already have npm
.)
2a7409fcb
#16066
Ensure we aren't using any scoped modules
Because npm
s prior 4.4.3 can't install dependencies that have bundled scoped
modules. This didn't show up sooner because they ALSO had a bug that caused
bundled scoped modules to not be included in the bundle.
(@iarna)eb4c70796
#16066
Switch to move-concurrently to remove scoped dependency
(@iarna)This is a small patch release, mostly because the published tarball for v4.4.2 was missing a couple of modules, due to a bug involving scoped modules, bundled dependencies and legacy tree layouts.
There are a couple of other things here that happened to be ready to go. So without further ado…
3d80f8f70
npm/fs-vacuum#6
fs-vacuum@1.2.1
: Make sure we never, ever remove home directories. Previously if your
home directory was entirely empty then we might rmdir
it.
(@helio-frota)1af85ca9f
#16040
Fix bug where bundled transitive dependencies that happened to be
installed under bundled scoped dependencies wouldn't be included in the
tarball when building a package.
(@iarna)13c7fdc2e
#16040
Fix a bug where bundled scoped dependencies couldn't be extracted.
(@iarna)d6cde98c2
#16040
Stop printing ENOENT
errors more than once.
(@iarna)722fbf0f6
#16040
Rewrite the extract
action for greater clarity.
Specifically, this involves moving things around structurally to do the same
thing d0c6d194
did, but in a more comprehensive manner.
This also fixes a long standing bug where errors from the move step would be
eaten during this phase and as a result we would get mysterious crashes in
the finalize phase when finalize tried to act on them.
(@iarna)6754dabb6
#16040
Flatten out @npmcorp/move
's deps for backwards compatibility reasons. Versions prior to this
one will fail to install any package that bundles a scoped dependency. This was responsible
for ENOENT
errors during the finalize
phase.
(@iarna)This week, the focus on the release was mainly going through all of npm's deps that we manage ourselves, and making sure all their PRs and versions were up to date. That means there's a few fixes here and there. Nothing too big codewise, though.
The most exciting part of this release is probably our shiny new Contributing and Troubleshooting docs! @snopeks did some ✨fantastic✨ work hashing it out, and we're really hoping this is a nice big step towards making contributing to npm easier. The troubleshooting doc will also hopefully solve common issues for people! Do you think something is missing from it? File a PR and we'll add it! The current document is just a baseline for further editing and additions.
Also there's maybe a bit of an easter egg in this release. 'Cause those are fun and I'm a huge nerd. 😉
07e997a
#15756
Overhaul CONTRIBUTING.md
and add new TROUBLESHOOTING.md
files. 🙌🏼
(@snopeks)2f3e4b6
#15833
Mention the 24-hour unpublish
policy
on the main registry.
(@carols10cents)84be534
#15888
Stop flattening ls
-tree output. From now on, deduped deps will be marked as
such in the place where they would've been before getting hoisted by the
installer.
(@iarna)e9a5dca
#15967
Limit metadata fetches to 10 concurrent requests.
(@iarna)46aa9bc
#15967
Limit concurrent installer actions to 10.
(@iarna)c3b994b
#15901
Use EXDEV aware move instead of rename. This will allow moving across devices
and moving when filesystems don't support renaming directories full of files. It might make folks using Docker a bit happier.
(@iarna)0de1a9c
#15735
Autocomplete support for npm scripts with :
colons in the name.
(@beyondcompute)84b0b92
#15874
Stop using undocumented
res.writeHeader
alias for res.writeHead
.
(@ChALkeR)895ffe4
#15824
Fix empty versions column in npm search
output.
(@bcoe)38c8d7a
init-package-json@1.9.5
: npm/init-package-json#61 Exclude existing devDependencies
from being added to dependencies
. Fixes #12260.
(@addaleax)This is a quick little patch release to forgo the update notification checker if you're on an unsupported (but not otherwise broken) version of Node.js. Right now that means 0.10 or 0.12.
56ac249
#15864
Only use update-notifier
on supported versions.
(@legodude17)Aaaah, @iarna here, it's been a little while since I did one of these! This is a nice little release, we've got an update notifier, vastly less verbose error messages, new warnings on package metadata that will probably give you a bad day, and a sprinkling of bug fixes.
We now have a little nudge to update your npm
, courtesy of
update-notifier.
148ee66
#15774
npm
will now check at start up to see if a newer version is available.
It will check once a day. If you want to disable this, set optOut
to true
in
~/.config/configstore/update-notifier-npm.json
.
(@ceejbot)npm
has, for a long time, had very verbose error messages. There was a
lot of info in there, including the cause of the error you were seeing but
without a lot of experience reading them pulling that out was time consuming
and difficult.
With this change the output is cut down substantially, centering the error
message. So, for example if you try to npm run sdlkfj
then the entire
error you'll get will be:
npm ERR! missing script: sldkfj
npm ERR! A complete log of this run can be found in:
npm ERR! /Users/rebecca/.npm/_logs/2017-02-24T00_41_36_988Z-debug.log
The CLI team has discussed cutting this down even further and stripping the
npm ERR!
prefix off those lines too. We'd appreciate your feedback on
this!
e544124
#15716
Make error output less verbose.
(@iarna)166bda9
#15716
Stop encouraging users to visit the issue tracker unless we know for
certain that it's an npm bug.
(@iarna)53412eb
#15772
We now warn if you have a module listed in both dependencies and
devDependencies.
(@TedYav)426b180
#15757
Default reporting metrics to default registry. Previously it defaulted to using
https://registry.npmjs.org
, now it will default to the result of
npm config get registry
. For most folks this won't actually change anything, but it
means that folks who use a private registry will have metrics routed there by default.
This has the potential to be interesting because it means that in the
future private registry products (npme!)
will be able to report on these metrics.
(@iarna)8ea0de9
#15716
Write logs for cb() never called
errors.c4e83dc
Make it so that errors while reading the existing node_modules tree can't
result in installer crashes.
(@iarna)2690dc2
Update npm doctor
to not treat broken symlinks in your global modules as
a permission failure. This is particularly important if you link modules and your text
editor uses the convention of creating symlinks from .#filename.js
to a
machine name and pid to lock files (eg emacs and compatible things).
(@iarna)f4c3f48
#15777
Not exactly a bug, but change a parameterless .apply
to .call
.
(@notarseniy)549dcff
rimraf@2.6.0
:
Retry EBUSY, ENOTEMPTY and EPERM on non-Windows platforms too.
More reliable rimraf.sync
on Windows.
(@isaacs)052dfb6
validate-npm-package-name@3.0.0
:
Remove ableist language in README.
Stop allowing ~'!()* in package names.
(@tomdale)
(@chrisdickinson)6663ea6
abbrev@1.1.0
(@isaacs)be6de9a
opener@1.4.3
(@dominic)900a5e3
readable-stream@2.2.3
(@RangerMauve) (@mcollina)c972a8b
tacks@1.2.6
(@iarna)85a36ef
7ac9265
tap@10.2.0
(@isaacs)Yay! Release time! It's a rainy day, and we have another smallish release for y'all. These things are not necessarily related. Or are they 🌧🤔
As far as news go, you may have noticed that the CLI team dropped support for
node@0.12
when that version went out of maintenance. Still, we've avoided
explicitly breaking it and node@0.10
so far -- but not much longer.
Sometime soon, the CLI team plans on switching over to language features only
available as of node@4 LTS
, and will likely start dropping old versions of node
as they go out of maintenance. The new features are exciting! We're really
looking forward to using them in the core CLI (and its dependencies) as we keep up
with our current feature work.
And speaking of features, this release is a minor bump due to a small change in
how npm login
works for the sake of supporting OAuth-based login for npm
Enterprise users. But we won't leave the rest of y'all out -- we're working on a
larger version of this feature. Soon enough, you'll be able to log in to npm
with, say, GitHub -- and use some shiny features that come from the integration.
Or turn on 2FA and other such security features. Keep your eyes peeled for new
on this in the next few releases and our weekly newsletter!
There's a new command line option: --auth-type
, which can be used to log in to
a supporting registry with OAuth2 or SAML. The current implementation is mainly
meant to support npmE customers, so if you're one of those: ask us about using
it! If not, just hold off cause we'll have a much more complete version of this
feature out soon.
ac8595e
bcf2dd8
9298d20
66b61bc
dc85de7
#13389
Implement single-sign-on support with --auth-type
option.
(@zkat)request
is pretty heavy. And it loads a bunch of things. It's actually a
pretty big chunk of npm's load time. This small patch by Rebecca will make it so
npm only loads that module when we're actually intending to make network
requests. Those of you who use npm commands that run offline might see a small
speedup in startup time.
4ad9247
#15630
Fix formatting/rendering for root npm README.
(@ungoldman)8cc1112
npm/hosted-git-info#21
hosted-git-info@2.2.0
:
Add support for .tarball()
URLs.
(@zkat)6eacc1b
npm-registry-mock@1.1.0
(@addaleax)a9b6d77
aproba@1.1.1
(@iarna)Hi all! I'm Kat, and I'm currently sitting in a train traveling at ~300km/h through Spain. So clearly, this release should have something to do with speed. And it does! Heck, with this release, you could say we're really blazing, even. 🌲🔥😏
You might recall if you've been keeping up that one of the reasons for a
semver-major bump to npm@4
was an improved CLI search (read: no longer blowing
up Node). The work done for that new search system, while still relying on a
full metadata download and local search, was also meant to act as groundwork for
then-ongoing work on a brand-new, smarter search system for npm. Shortly after
npm@4
came out, the bulk of the server-side work was done, and with this
release, the npm CLI has integrated use of the new endpoint for high-quality,
fast-turnaround searches.
No, seriously, it's fast. And relevant:
Give it a shot! And remember to check out the new website version of the search, too, which uses the same backend as the CLI now. 🎉
Incidentally, the backend is a public service, so you can write your own search tools, be they web-based, CLI, or GUI-based. You can read up on the full documentation for the search endpoint, and let us know about the cool things you come up with!
ce3ca51
#15481
Add an internal gunzip-maybe
utility for optional gunzipping.
(@zkat)e322932
a53055e
a1f4365
c56618c
#15481
Add support for using the new npm search endpoint for fast, quality search
results. Includes a fallback to "classic" search.
(@zkat)This is another pretty significant change: Usually, when the npm process
crashed, you would get an npm-debug.log
in your current working directory.
This debug log would get cleared out as soon as you ran npm again. This was a
bit annoying because 1) you would get a random file in your git status
that
you might accidentally commit, and 2) if you hit a hard-to-reproduce bug and
instinctually tried again, you would no longer have access to the repro
npm-debug.log
.
So now, any time a crash happens, we'll save your debug logs to your cache
folder, under _logs
(~/.npm
on *nix, by default -- use npm config get
cache
to see what your current value is). The cache will now hold a
(configurable) number of npm-debug.log
files, which you can access in the
future. Hopefully this will help clean stuff up and reduce frustration from
missed repros! In the future, this will also be used by npm report
to make it
super easy to put up issues about crashes you run into with npm. 💃🕺🏿👯♂️
04fca22
#11439
Put debug logs in $(npm get cache)/_logs
and store multiple log files.
(@KenanY)
(@othiym23)
(@isaacs)
(@iarna)ae8e71c
#15402
Add missing backtick in one of the npm doctor
messages.
(@watilde, @charlotteis)821fee6
#15480
Clarify that unscoped packages can depend on scoped packages and vice-versa.
(@chocolateboy)2ee45a8
#15515
Update minimum supported Node version number in the README to node@>=4
.
(@watilde)af06aa9
#15520
Add section to npm-scope
docs to explain that scope owners will own scoped
packages with that scope. That is, user @alice
is not allowed to publish to
@bob/my-package
unless explicitly made an owner by user (or org) @bob
.
(@hzoo)bc892e6
#15539
Replace http
with https
and fix typos in some docs.
(@watilde)1dfe875
#15545
Update Node.js download link to point to the right place.
(@watilde)98df212
#15492
Update the "master" node version used for AppVeyor to node@7
.
(@watilde)d75fc03
#15413
npm run-script
now exits with the child process' exit code on exit.
(@kapals)We have a twee little release this week as we come back from the holidays.
After jumping the gun a little, we can now officially remove 0.12 from our supported versions list. The Node.js project has now officially ended even maintenance support for 0.12 and thus, so will we. To reiterate from the last time we did this:
What this means:
What this doesn't mean:
We're not super interested in taking sides on what version of Node.js you "should" be running. We're a workflow tool, and we understand that you all have a diverse set of operational environments you need to be able to support. At the same time, we are a small team, and we need to put some limits on what we support. Tracking what's supported by our runtime's own team seems most practical, so that's what we're doing.
package.json
(AND OTHER FILES)If your package.json
, npm-shrinkwrap.json
or .npmrc
were a symlink and
you used an npm
command that modified one of these (eg npm config set
or
npm install --save
) then previously we would have removed your symlink and
replaced it with an ordinary file. While making these files symlinks is pretty
uncommon, this was still surprising behavior. With this fix we now overwrite
the destination of the symlink and preserve the symlink itself.
a583983
write-file-atomic/#5
#10223
write-file-atomic@1.3.1
:
When the target is a symlink, write-file-atomic now overwrites the
destination of the symlink, instead of replacing the symlink itself. This
makes it's behavior match fs.writeFile
.Fixed a bug where it would ALWAYS fs.stat to look up default mode and chown values even if you'd passed them in. (It still used the values you passed in, but did a needless stat.) (@iarna)
521f230
node-gyp@3.5.0
:
Improvements to how Python is located. New --devdir
flag.
(@bnoordhuis)
(@mhart)ccd83e8
JSONStream@1.3.0
:
Add new emitPath option.
(@nathanwills)This fixes a bug in the metrics reporting where, if you had enabled it then
installs would create a metrics reporting process, that would create a
metrics reporting process, that would… well, you get the idea. The only
way to actually kill these processes is to turn off your networking, then
on MacOS/Linux kill them with kill -9
. Alternatively you can just reboot.
Anyway, this is a quick release to fix that bug:
51c393f
#15237
Don't launch a metrics sender process if we're running from a metrics
sender process.
(@iarna)I'm really excited about npm@4.1.0
. I know, I know, I'm kinda overexcited
in my changelogs, but this one is GREAT. We've got a WHOLE NEW subcommand, I
mean, when was the last time you saw that? YEARS! And we have the beginnings
of usage metrics reporting. Then there's a fix for a really subtle bug that
resulted in shasum
errors. And then we also have a few more bug fixes and
other improvements.
We're adding the ability for you all to help us track the quality of your
experiences using npm
. Metrics will be sent if you run:
npm config set send-metrics true
Then npm
will report to registry.npmjs.org
the number of successful and
failed installations you've had. The data contains no identifying
information and npm will not attempt to correlate things like IP address
with the metrics being submitted.
Currently we only track number of successful and failed installations. In
the future we would like to find additional metrics to help us better
quantify the quality of the npm
experience.
190a658
#15084
Add facility for recording and reporting success metrics.
(@iarna)87afc8b
npm/npm-registry-client#147
npm-registry-client@7.4.5
:
Add support for sending anonymous CLI metrics.
(@iarna,
@sisidovski)Check Value Recommendation npm ping ok npm -v v4.0.5 node -v v4.6.1 Use node v6.9.2 npm config get registry https://registry.npmjs.org/ which git /Users/rebecca/bin/git Perms check on cached files ok Perms check on global node_modules ok Perms check on local node_modules ok Checksum cached files ok
It's a rare day that we add a new command to npm
, so I'm excited to
present to you npm doctor
. It checks for a number of common problems and
provides some recommended solutions. It was put together through the hard
work of @watilde.
2359505
0209ee5
#14582
Add new npm doctor
to give your project environment a health check.
(@watilde)If you've been getting intermittent shasum errors then you'll be pleased to know that we've tracked down at least one source of them, if not THE source of them.
87afc8b
#14626
npm/npm-registry-client#148
npm-registry-client@7.4.5
:
Fix a bug where an ECONNRESET
while fetching a package file would result
in a partial download that would be reported as a "shasum mismatch". It
now throws away the partial download and retries it.
(@iarna)When npm
was formatting file
URLs we took advantage of url.format
to
construct them. Node.js 7 changed the behavior in such a way that our use of
url.format
stopped producing URLs that we could make use of.
The reasons for this have to do with the file
URL specification and how
invalid (according to the specification) URLs are handled. How this changed
is most easily explained with a table:
URL | Node.js <= 6 | npm's understanding | Node.js 7 | npm's understanding | |
---|---|---|---|---|---|
VALID | file:///abc/def | file:///abc/def | /abc/def | file:///abc/def | /abc/def |
invalid | file:/abc/def | file:/abc/def | /abc/def | file:///abc/def | /abc/def |
invalid | file:abc/def | file:abc/def | $CWD/abc/def | file://abc/def | /def on the abc host |
invalid | file:../abc/def | file:../abc/def | $CWD/../abc/def | file://../abc/def | /abc/def on the .. host |
So the result was that passing a file
URL that npm had received that used
through Node.js 7's url.format
changed its meaning as far as npm
was
concerned. As those kinds of URLs are, per the specification, invalid, how
they should be handled is undefined and so the change in Node.js wasn't a
bug per se.
Our solution is to stop using url.format
when constructing this kind of
URL.
c9b279a
#15205
#15196
Only have one function that determines which version of a package to use
given a specifier and a list of versions.
(@iarna,
@zkat)
981ce63
#15090
Rewrite prune to use modern npm plumbing.
(@iarna)
bc4b739
#15089
Rename functions and variables in the module that computes what changes to
make to your installation.
(@iarna)
2449f74
#15089
When computing changes to make to your installation, use a function to add
new actions to take instead of just pushing on a list.
(@iarna)
33ca4e6
#15157
Update npm cache
docs to use more consistent language
(@JonahMoses)c2d22fa
#15215
nopt@4.0.1
:
The breaking change is a small tweak to how empty string values are
handled. See the brand-new
CHANGELOG.md for nopt for further
details about what's changed in this release!
(@adius,
@samjonester,
@elidoran,
@helio,
@silkentrance,
@othiym23)54d949b
npm/lockfile#24
lockfile@1.0.3
:
Handled case where callback was not passed in by the user.
(@ORESoftware)54acc03
npmlog@4.0.2
:
Documentation update.
(@helio-frota)57f4bc1
osenv@0.1.4
:
Test changes.
(@isaacs)bea1a2d
retry@0.10.1
:
No changes.
(@tim-kos)6749e39
kapouer/marked-man#9
marked-man@0.2.0
:
Add table support.
(@gholk)It's that time of year! December is upon us, which means y'all are just going to be doing a lot less, in general, for the next month or so. The "Xmas Chasm", as we like to call it, has already begun. So for those of you reading it from the other side: Hi! Welcome back!
This week's release is a relatively small one, involving just a few bugfixes and
dependency upgrades. The CLI team has been busy recently with scoping out
npm@5
, and starting to do initial spec work for in-scope stuff.
On to the actual changes!
9776d8f
#15081
bundledDependencies
are intended to be left untouched by the installer, as
much as possible -- if they're bundled, we assume that you want to be
particular about the contents of your bundle.The installer used to have a corner case where existing dependencies that had bundledDependencies would get clobbered by as the installer moved stuff around, even though the installer already avoided moving deps that were themselves bundled. This is now fixed, along with the connected crasher, and your bundledDeps should be left even more intact than before! (@iarna)
fc61c08
#15082
Initialize nodes from bundled dependencies. This should address
#14427 and related issues, but it's
turned out to be a tremendously difficult issue to reproduce in a test. We
decided to include it even pending tests, because we found the root cause of
the errors.
(@iarna)d8471a2
#12811
Consider devDependencies
when deciding whether to hoist a package. This
should resolve a variety of missing dependency issues some folks were seeing
when devDependencies
happened to also be dependencies of your
dependencies
. This often manifested as modules going missing, or only being
installed, after npm install
was called twice.
(@schmod)5978703
graceful-fs@4.1.11
:
EPERM
errors are Windows are now handled more gracefully. Windows users that
tended to see these errors due to, say, an antivirus-induced race condition,
should see them much more rarely, if at all.
(@zkatr)85b0174
request@2.79.0
(@zkat)9664d36
tap@8.0.1
(@zkat)f0f7b0f
#15083
Removed dead code.
(@iarna)bc32afe
c8a22fe
db2666d
#15085
Change some network tests so they can run offline.
(@iarna)744a39b
#15085
Make Node.js tests compatible with Windows.
(@iarna)Hey you all, we've got a couple of bug fixes for you, a slew of documentation improvements and some improvements to our CI environment. I know we just got v4 out the door, but the CLI team is already busy planning v5. We'll have more for you in early December.
45d40d9
ba2adc2
1dc8908
2ba19ee
#14403
Fix a bug where a scoped module could produce crashes when incorrectly
computing the paths related to their location. This patch reorganizes how path information
is passed in to eliminate the possibility of this sort of bug.
(@iarna)
(@NatalieWolfe)1011ec6
npm/npmlog#46
npmlog@4.0.1
: Fix a bug where the progress bar would still display even if
you passed in --no-progress
.
(@iarna)c3ac177
#14406
Sync up the dispute policy included with the CLI with the current official text.
(@mike-engel)9c663b2
#14627
Update build status branch in README.
(@cameronroe)8a8a0a3
#14609
Update examples URLs of GitHub repos where those repos have moved to new URLs.
(@dougwilson)7a6425b
#14472
Document sign-git-tag
in
npm-version(1)'s
configuration section.
(@strugee)f3087cc
#14546
Add a note about the dangers of configuring npm via uppercase env vars.
(@tuhoojabotti)50e51b0
#14559
Remove documentation that incorrectly stated that we check .npmrc
permissions.
(@iarna)6f0c353
f78bde6
#14591
Reintroduce Node.js 0.12 to our support matrix. We jumped the gun when
removing it. We won't drop support for it till the Node.js project does
so at the end of December 2016.
(@othiym23)aa73d1c
c914e80
58fe064
#14602
When running tests with coverage, use nyc's cache. This provides an 8x speedup!
(@bcoe)ba091ce
#14435
Remove an unused zero byte package.json
found in the test fixtures.
(@baderbuddy)442e01e
readable-stream@2.2.2
:
Bring in latest changes from Node.js 7.x.
(@calvinmetcalf)bfc4a1c
which@1.2.12
:
Remove unused require.
(@isaacs)Hola, amigxs. I know it's been a long time since I rapped at ya, but I
been spending a lotta time quietly reflecting on all the things going on
in my life. I was, like, in Japan for a while,
and before that my swell colleagues @zkat and
@iarna have been very capably managing the release
process for quite a while. But I returned from Japan somewhat refreshed, very
jetlagged, and filled with a burning urge to get npm@4
as stable as possible
before we push it out to the user community at large, so I decided to do this
release myself. (Also, huge thanks to Kat and Rebecca for putting out npm@4
so capably while I was on vacation! So cool to return to a major release having
gone so well without my involvement!)
That said...
Even though 4.0.1 came out hard on the heels of 4.0.0 with a couple
critical fixes, we've found a couple other major issues that we want to
see fixed before making npm@4
into npm@latest
. Some of these are
arguably breaking changes on their own, so now is the time to get them
out if we're going to do so before npm@5
, and all of them are pretty
significant blockers for a substantial number of users, so now is the
best time to fix them.
The code running the publish*
lifecycle events was very confusingly written.
In fact, we didn't really figure out what it was doing until we added the new
prepublishOnly
event and it was running people's scripts from the wrong
directory. We made it simpler. See the commit
message
for details.
Because the change is no longer running publish events when publishing prebuilt
artifacts, it's technically a breaking / semver-major change. In the off chance
that the new behavior breaks any of y'all's workflows, let us know, and we can
roll some or all of this change back until npm@5
(or forever, if that works
better for you).
With the advent of the second official Node.js LTS release, Node 6.x 'Boron', the Node.js project has now officially dropped versions 0.10 and 0.12 out of the maintenance phase of LTS. (Also, Node 5 was never part of LTS, and will see no further support now that Node 7 has been released.) As a small team with limited resources, the npm CLI team is following suit and dropping those versions of Node from its CI test matrix.
What this means:
What this doesn't mean:
We're not super interested in taking sides on what version of Node.js you "should" be running. We're a workflow tool, and we understand that you all have a diverse set of operational environments you need to be able to support. At the same time, we are a small team, and we need to put some limits on what we support. Tracking what's supported by our runtime's own team seems most practical, so that's what we're doing.
ab630c9
#14503
Node 6 is LTS; 5.x, 0.10, and 0.12 are unsupported.
(@othiym23)731ae52
#14503
Update supported version expression.
(@othiym23)The new Npm-Scope
header was previously reusing the scope
configuration option to pass the current scope back to your current
registry (which, as described
previously, is meant to set up some upcoming
registry features). It turns out that had some seriously weird
consequences in the case where
you were already configuring scope
in your own environment. The CLI
now uses separate configuration for this.
7f41295
#14519
Document that as of npm@4.0.1
, npm shrinkwrap
now includes devDependencies
unless
instructed otherwise.
(@iarna)bdc2f9e
#14501
The ENOSELF
error message is tricky to word. It's also an error that
normally bites new users. Clean it up in an effort to make it easier
to understand what's going on.
(@snopeks, @zkat)a52d0f0
glob@7.1.1
:
afda66d
isaacs/node-graceful-fs#97
graceful-fs@4.1.10
: Better backoff for EPERM on Windows.
(@sam-github)e0023c0
npm/inflight#3
inflight@1.0.6
: Clean up even if / when a callback throws.
(@phated)1d91594
request@2.78.0
(@othiym23)Ayyyy~ 🌊
So thanks to folks who were running on npm@next
, we managed to find a few
issues of notes in that preview version, and we're rolling out a small patch
change to fix them. Most notably, anyone who was using a symlinked node
binary
(for example, if they installed Node.js through homebrew
), was getting a very
loud warning every time they ran scripts. Y'all should get warnings in a more
useful way, now that we're resolving those path symlinks.
Another fairly big change that we decided to slap into this version, since
npm@4.0.0
is never going to be latest
, is to make it so devDependencies
are included in npm-shrinkwrap.json
by default -- if you do not want this, use
--production
with npm shrinkwrap
.
eff46dd
#14374
Fully resolve the path for node
executables in both $PATH
and
process.execPath
to avoid issues with symlinked node
.
(@addaleax)964f2d3
#14375
Make including devDependencies
in npm-shrinkwrap.json
the default. This
should help make the transition to npm@5
smoother in the future.
(@iarna)a5b0a8d
#14400
Recently, we've had some consistent timeout failures while running the test
suite under Travis. This tweak to tests should take care of those issues and
Travis should go back to being reliably green.
(@iarna)c5907b2
#14251
Update links to Node.js downloads. They previously pointed to 404 pages.😬
(@ArtskydJ)0c122f2
#14380
Add note and clarification on when prepare
script is run. Make it more
consistent with surrounding descriptions.
(@SimenB)51a62ab
#14359
Fixes typo in npm@4
changelog.
(@kimroen)Welcome to npm@4
, friends!
This is our first semver major release since the release of npm@3
just over a
year ago. Back then, @3
turned out to be a bit of a ground-shaking release,
with a brand-new installer with significant structural changes to how npm set up
your tree. This is the end of an era, in a way. npm@4
also marks the release
when we move both npm@2
and npm@3
into maintenance: We will no longer be
updating those release branches with anything except critical bugfixes and
security patches.
While its predecessor had some pretty serious impaact, npm@4
is expected to
have a much smaller effect on your day-to-day use of npm. Over the past year,
we've collected a handful of breaking changes that we wanted to get in which are
only breaking under a strict semver interpretation (which we follow). Some of
these are simple usability improvements, while others fix crashes and serious
issues that required a major release to include.
We hope this release sees you well, and you can look forward to an accelerated
release pace now that the CLI team is done focusing on sustaining work -- our
Windows fixing and big bugs pushes -- and we can start focusing again on
usability, features, and performance. Keep an eye out for npm@5
in Q1 2017,
too: We're planning a major overhaul of shrinkwrap
as well as various speed
and usability fixes for that release. It's gonna be a fun ride. I promise. 😘
The following breaking changes are included in this release:
npm search
rewritten to stream results, and no longer supports sorting.npm scripts
no longer prepend the path of the node executable used to run
npm before running scripts. A --scripts-prepend-node-path
option has been
added to configure this behavior.npat
has been removed.prepublish
has been deprecated, replaced by prepare
. A prepublishOnly
script has been temporarily added, which will only run on npm publish
.npm outdated
exits with exit code 1
if it finds any outdated packages.npm tag
has been removed after a deprecation cycle. Use npm dist-tag
.npm-shrinkwrap.json
is
considered a complete installation manifest except for devDependencies
.master
. We'll be using latest
from
now on.Let's face it -- npm search
simply doesn't work anymore. Apart from the fact
that it grew slower over the years, it's reached a point where we can no longer
fit the entire registry metadata in memory, and anyone who tries to use the
command now sees a really awful memory overflow crash from node.
It's still going to be some time before the CLI, registry, and web team are able
to overhaul npm search
altogether, but until then, we've rewritten the
previous npm search
implementation to stream results on the fly, from both
the search endpoint and a local cache. In absolute terms, you won't see a
performance increase and this patch does come at the cost of sorting
capabilities, but what it does do is start outputting results as it finds them.
This should make the experience much better, overall, and we believe this is an
acceptable band-aid until we have that search endpoint in place.
Incidentally, if you want a really nice search experience, we recommend checking
out npms.io, which includes a handy-dandy
npms-cli
for command-line usage -- it's an npm
search site that returns high-quality results quickly and is operated by members
of the npm community.
cfd43b4
2b8057b
#13746
Stream search process end-to-end.
(@zkat and @aredridel)50f4ec8
70b4bc2
8fb470f
ac3a6e0
bad54dd
87d504e
#13746
Updated search-related tests.
(@zkat)3596de8
#13746
JSONStream@1.2.1
(@zkat)4b09209
#13746
mississippi@1.2.0
(@zkat)b650b39
#13746
sorted-union-stream@2.1.3
(@zkat)Thanks to some great work by @addaleax, we've
addressed a fairly tricky issue involving the node process used by npm
scripts
.
Previously, npm would prefix the path of the node executable to the script's
PATH
. This had the benefit of making sure that the node process would be the
same for both npm and scripts
unless you had something like
node-bin
in your node_modules
. And it turns out
lots of people relied on this behavior being this way!
It turns out that this had some unintended consequences: it broke systems like
nyc
, but also completely broke/defeated things like
rvm
and
virtualenv
by often causing things
that relied on them to fall back to the global system versions of ruby and
python.
In the face of two perfectly valid, and used alternatives, we decided that the
second case was much more surprising for users, and that we should err on the
side of doing what those users expect. Anna put some hard work in and managed to
put together a patch that changes npm's behavior such that we no longer prepend
the node executable's path by default, and adds a new option,
--scripts-prepend-node-path
, to allow users who rely on this behavior to have
it add the node path for them.
This patch also makes it so this feature is discoverable by people who might run
into the first case above, by warning if the node executable is either missing
or shadowed by another one in PATH
. This warning can also be disabled with the
--scripts-prepend-node-path
option as needed.
3fb1eb3
6a7d375
378ae08
#13409
Add a --scripts-prepend-node-path
option to configure whether npm prepends
the current node executable's path to PATH
.
(@addaleax)70b352c
#13409
Change the default behaviour of npm to never prepending the current node
executable’s directory to PATH
but printing a warning in the cases in which
it previously did.
(@addaleax)npat
(BREAKING)Let's be real here -- almost no one knows this feature ever existed, and it's a vestigial feature of the days when the ideal for npm was to distribute full packages that could be directly developed on, even from the registry.
It turns out the npm community decided to go a different way: primarily
publishing packages in a production-ready format, with no tests, build tools,
etc. And so, we say goodbye to npat
.
prepare
SCRIPT. prepublish
DEPRECATED (BREAKING)If there's anything that really seemed to confuse users, it's that the
prepublish
script ran when invoking npm install
without any arguments.
Turns out many, many people really expected that it would only run on npm
publish
, even if it actually did what most people expected: prepare the package
for publishing on the registry.
And so, we've added a prepare
command that runs in the exact same cases where
prepublish
ran, and we've begun a deprecation cycle for prepublish
itself
only when run by npm install
, which will now include a warning any time
you use it that way.
We've also added a prepublishOnly
script which will execute only when npm
publish
is invoked. Eventually, prepublish
will stop executing on npm
install
, and prepublishOnly
will be removed, leaving prepare
and
prepublish
as two distinct lifecycles.
9b4a227
bc32078
#14290
Add prepare
and prepublishOnly
lifecycle events.
(@othiym23)52fdefd
#14290
Warn when running prepublish
on npm pack
.
(@othiym23)4c2a948
a55bd65
#14290
Added prepublish
warnings to npm install
.
(@zkat)c27412b
#14290
Replace prepublish
with prepare
in npm help package.json
documentation.
(@zkat)That's right. No more partial shrinkwraps. That means that if you have an
npm-shrinkwrap.json
in your project, npm will no longer install anything that
isn't explicitly listed there, unless it's a devDependency
. This will open
doors to some nice optimizations and make use of npm shrinkwrap
just generally
smoother by removing some awful corner cases. We will also skip devDependency
installation from package.json
if you added devDependencies
to your
shrinkwrap by using npm shrinkwrap --dev
.
b7dfae8
#14327
Use readShrinkwrap
to read top level shrinkwrap. There's no reason for npm
to be doing its own bespoke heirloom-grade artisanal thing here.
(@iarna)0ae1f4b
4a54997
f22a1ae
3f61189
#14327
Treat shrinkwrap as canonical. That is, don't try to fill in for partial
shrinkwraps. Partial shrinkwraps should produce partial installs. If your
shrinkwrap contains NO devDependencies
then we'll still try to install them
from your package.json
instead of assuming you NEVER want devDependencies
.
(@iarna)npm tag
REMOVED (BREAKING)94255da
#14328
Remove deprecated tag command. Folks must use the dist-tag
command from now
on.
(@iarna)40a04d8
e2fa18d
3ee3948
3fa25d0
#14013
Do exit 1
if any outdated dependencies are found by npm outdated
.
(@watilde)c81838a
#14013
Log non-zero exit codes at verbose
level -- this isn't something command
line tools tend to do. It's generally the shell's job to display, if at all.
(@zkat)For the purposes of supporting shiny new registry features, we've started
sending Npm-Scope
and Npm-In-CI
headers in outgoing requests.
846f61c
npm/npm-registry-client#145
npm/npm-registry-client#147
npm-registry-client@7.3.0
:
Npm-In-CI
header that reports whether we're running in CI.
(@iarna)6b6bb08
#14129
Send Npm-Scope
header along with requests to registry. Npm-Scope
is set to
the @scope
of the current top level project. This will allow registries to
implement user/scope-aware features and services.
(@iarna)506de80
#14129
Add test to ensure Npm-In-CI
header is being sent when CI is set in env.
(@iarna)bc84012
#14117
Fixes a bug where installing a shrinkwrapped package would fail if the
platform failed to install an optional dependency included in the shrinkwrap.
(@watilde)a40b32d
#13519
If a package has malformed metadata, node.requiredBy
is sometimes missing.
Stop crashing when that happens.
(@creationix)643dae2
#14244
Remove some ancient aliases that we'd rather not have around.
(@zkat)bdeac3e
#14230
Detect unsupported Node.js versions and warn about it. Also error on really
old versions where we know we can't work.
(@iarna)9ca18ad
#13746
Updated docs for npm search
options.
(@zkat)e02a47f
Move the npm@3
changelog into the archived changelogs directory.
(@zkat)c12bbf8
#14290
Document prepublish-on-install deprecation.
(@othiym23)c246a75
#14129
Document headers added by npm to outgoing registry requests.
(@iarna)cb20c73
#13953
signal-exit@3.0.1
(@benjamincoe)