This version brings the latest node-gyp to a soon to be released Node.js
4.x.  The node-gyp update is particularly important to Windows folks due to
its addition of Visual Studio 2017 support.
cdd60e733
node-gyp@3.6.0:
Improvements to how Python is located. New --devdir flag.
Support for VS2017.
Chakracore support on ARM.
Remove path-array dependency, reducing size significantly.
(@bnoordhuis)
(@mhart)
(@refack)
(@kunalspathak)On we go with our monthly release cadence! This week is pretty much all dependency updates and some documentation changes, as can be expected by now.
Note that npm@4 will almost certainly be released next month! It's not final
what we'll end up doing as far as LTS support goes, but the current thinking is
that, considering how small and resource-constrained our team is, support for
npm@2 will be reduced to essentially maintenance, so we can better focus on
npm@3 as the new LTS version (which will go into node@6), and npm@4 as our
next main development version.
8f71038
#13892
Update LICENSE file to match license on master.
(@rvagg)e81b4f1
#12438
Remind folks to use #!/usr/bin/env node in their bin scripts to make files
executable directly.
(@mxstbr)f89789f
#13655
Document line comment syntax for .npmrc.
(@mdjasper)5cd3abc
#13493
Document that the user config file can itself be configured either through the
$NPM_CONFIG_USERCONFIG environment variable, or --userconfig command line
flag.
(@jasonkarns)dd71ca0
#13911
Minor documentation reword and cleanup.
(@othiym23)f7a320c
#13682
Minor grammar fix in documentation for npm scripts.
(@Ajedi32)e5cb5e8
#13717
Document that npm link will link the files specified in the bin field of
package.json to {prefix}/bin/{name}.
(@legodude17)8bef026
graceful-fs@4.1.6
(@francescoinfante)9f73f4a
glob@7.0.6
(@isaacs)5391b7e
which@1.2.1
(@isaacs)43bfec8
retry@0.10.0
(@tim-kos)39305f1
readable-stream@2.1.5
(@calvinmetcalf)a5512fa
once@1.4.0
(@zkochan)06a208b
npm-registry-client@7.2.1:
EventEmitter warning spam from error handlers on socket. (@addaleax)4f759be
inherits@2.0.3
(@isaacs)4258b76
tap@7.1.1
(@isaacs)Hi all, today's our first release coming out of the new monthly release cadence. See below for details. We're all recovered from conferences now and raring to go! For LTS we see some bug fixes, documentation improvements and a host of dependency updates.
The most dramatic bug fix is probably the inclusion of scoped modules in
bundled dependencies. Prior to this release and
v3.10.7, npm had ignored
scoped modules found in bundleDependencies entirely.
Releasing npm has been, for the most part, a very prominent part of our weekly process process. As part of our efforts to find the most effective ways to allocate our team's resources, we decided last month that we would try and slow our releases down to a monthly cadence, and see if we found ourselves with as much extra time and attention as we expected to have. Process experiments are useful for finding more effective ways to do our work, and we're at least going to keep doing this for a whole quarter, and then measure how well it worked out. It's entirely likely that we'll switch back to a more frequent cadence, specially if we find that the value that weekly cadence was providing the community is not worth sacrificing for a bit of extra time. Does this affect you significantly? Let us know!
405c404
#13023
Fixed a Windows issue with the cache where callbacks could be called more than once.
(@zkat)
bf348dc
#13023
Fixed a Windows corner case with correct-mkdir where if SUDO_UID or
SUDO_GID were set then we would try to chown things even though that can't
work on Windows.
(@zkat)
68f29f1
#12669
Ignore ENOENT errors on chownr while adding packages to cache. This change
works around problems with race conditions and local packages.
(@julianduque)363e381
#13319
As Node.js 0.8 is no longer supported, remove mention of it from the README.
(@watilde)e8fafa8
#10167
Clarify in scope documentation that npm@2 is required for scoped packages.
(@danpaz)66ef279
npm/fstream-npm#22
fstream@1.1.1:
Always include NOTICE files now. Fix inclusion of scoped modules as bundled dependencies.
(@kemitchell)
(@forivall)fe8385b
glob@7.0.5:
Update minimatch dep for security fix. See the minimatch update below for details.
(@isaacs)51d49d2
isaacs/node-graceful-fs#71
graceful-fs@4.1.5:
graceful-fs had a bug fix which
fixes a problem (nodejs/node#7846) exposed
by recent changes to Node.js.
(@thefourtheye)5c8f39d
minimatch@3.0.3:
Handle extremely long and terrible patterns more gracefully.
There were some magic numbers that assumed that every extglob pattern starts
and ends with a specific number of characters in the regular expression.
Since !(||) patterns are a little bit more complicated, this led to creating
an invalid regular expression and throwing.
(@isaacs)d681e16
npm/npm-user-validate#9
npm-user-validate@0.1.5:
Use correct, lower username length limit.
(@aredridel)f918994
request@2.74.0:
Update request dependency tough-cookie to 2.3.0 to
to address https://nodesecurity.io/advisories/130.
Versions 0.9.7 through 2.2.2 contain a vulnerable regular expression that,
under certain conditions involving long strings of semicolons in the
"Set-Cookie" header, causes the event loop to block for excessive amounts of
time.
(@stash-sfdc)5540cc4
isaacs/rimraf#111
rimraf@2.5.4: Clarify assertions: cb is required, options are not.
(@isaacs)6357928
spdx-license-ids@1.2.2:
New licenses synced from spdx.org.
(@shinnn)What's this? An LTS release? Yes, that is indeed so. Small, as usual, and as LTSs should be, really, but a release nonetheless!
The star of the show is an updated node-gyp with some goodies. The rest is
just docs and some CI stuff.
Happy hacking!
f9a07cc
#13200
node-gyp@3.4.0:
AIX, Visual Studio 2015, and logging improvements. Oh my~!
(@rvagg)bee83b8
Globally install rimraf on CI to make the LTS self-install work better.
(@othiym23)6b8c0ab
This new Travis configuration only runs coverage checks against Node.js LTS,
which speeds up all the other test runs. By, like, a lot. Also, the entire
file has been extensively commented, so the next time we need to mess with it,
we'll be able to better remember why all the weird bits are there.
(@othiym23)2c7a5be
#13156
Fix old reference to doc/install in a source comment.
(@sheerun)e1cf78c
#13189
#13113
#13189
Fixes a link to npm-tag(3) that was breaking to instead point to
npm-dist-tag(1), as reported by @SimenB
(@macdonst)There's a very important bug fix and a long-awaited (and significant!) deprecation in this hotfix release. Hold on.
When Node.js 6.0.0 was released, the CLI team noticed an alarming upsurge in
bugs related to important files (like README.md) not being included in
published packages. The new bugs looked much like
#5082, which had been around in one
form or another since April, 2014. #5082 used to be a very rare (and obnoxious)
bug that the CLI team hadn't had much luck reproducing, and we'd basically
marked it down as a race condition that arose on machines using slow and / or
rotating-media-based hard drives.
Under 6.0.0, the behavior was reliable enough to be nearly deterministic, and
made it very difficult for publishers using .npmignore files in combination
with "files" stanzas in package.json to get their packages onto the
registry without one or more files missing from the packed tarball. The entire
saga is contained within the issue,
but the summary is that an improvement to the performance of
fs.realpath()
made it much more likely that the packing code would lose the race.
Fixing this has proven to be very difficult, in part because the code used by npm to produce package tarballs is more complicated than, strictly speaking, it needs to be. @evanlucas contributed a patch that passed the tests in a special test suite that I (@othiym23) created (with help from @addaleax), but only after we'd released the fixed version of that package did we learn that it actually made the problem worse in other situations in npm proper. Eventually, @rvagg put together a more durable fix that appears to completely address the errant behavior under Node.js 6.0.0. That's the patch included in this release. Everybody should chip in for redback insurance for Rod and his family; he's done the community a huge favor.
Does this mean the long (2+ year) saga of #5082 is now over? At this point, I'm going to quote from my latest summary on the issue:
The CLI team (mostly me, with input from the rest of the team) has decided that the overall complexity of the interaction between
fstream,fstream-ignore,fstream-npm, andnode-tarhas grown more convoluted than the team is comfortable (maybe even capable of) supporting.
- While I believe that @rvagg's (very targeted) fix addresses this issue, I would be shocked if there aren't other race conditions in npm's packing logic. I've already identified a couple other places in the code that are most likely race conditions, even if they're harder to trigger than the current one.
- The way that dependency bundling is integrated leads to a situation in which a bunch of logic is duplicated between
fstream-npmandlib/utils/tar.jsin npm itself, and the wayfstream's extension mechanism works makes this difficult to clean up. This caused a nasty regression (#13088, see below) as of ~npm@3.8.7where the dependencies ofbundledDependencieswere no longer being included in the built package tarballs.- The interaction between
.npmignore,.gitignore, andfilesis hopelessly complicated, scattered in many places throughout the code. We've been discussing making the ignores and includes logic clearer and more predictable, and the current code fights our efforts to clean that up.So, our intention is still to replace
fstream,fstream-ignore, andfstream-npmwith something much simpler and purpose-built. There's no real reason to have a stream abstraction here when a simple recursive-descent filesystem visitor and a synchronous function that can answer whether a given path should be included in the packed tarball would do the job adequately.What's not yet clear is whether we'll need to replace
node-tarin the process.node-taris a very robust implementation of tar (it handles, like, everything), and it also includes some very important tweaks to prevent several classes of security exploits involving maliciously crafted packages. However, its packing API involves passing in anfstreaminstance, so we'd either need to produce something that follows enough offstream's contract fornode-tarto keep working, or swapnode-tarout for something liketar-stream(and then ensuring that our use oftar-streamis secure, which could involve security patches for either npm ortar-stream).
The testing and review of fstream@1.0.10 that the team has done leads us to
believe that this bug is fixed, but I'm feeling more than a little paranoid
about fstream now, so it's important that people keep a close eye on their
publishes for a while and let us know immediately if they notice any
irregularities.
2c49265
#5082 fstream@1.0.10: Ensure that
entries are collected after a paused stream resumes.
(@rvagg)92e4344
#5082 Remove the warning introduced
in npm@3.10.0, because it should no longer be necessary.
(@othiym23)At NodeConf Adventure 2016 (RIP in peace, Mikeal Rogers's NodeConf!), the CLI team had an opportunity to talk to representatives from some of the larger companies that we knew were still using Node.js 0.8 in production. After asking them whether they were still using 0.8, we got back blank stares and questions like, "0.8? You mean, from four years ago?" After establishing that being able to run npm in their legacy environments was no longer necessary, the CLI team made the decision to drop support for 0.8. (Faithful observers of our team meetings will have known this was the plan for NodeConf since the beginning of 2016.)
In practice, this means only what's in the commit below: we've removed 0.8 from
our continuous integration test matrix below, and will no longer be habitually
testing changes under Node 0.8.  We may also give ourselves permission to use
setImmediate() in test code. However, since the project still supports
Node.js 0.10 and 0.12, it's unlikely that patches that rely on ES 2015
functionality will land anytime soon.
Looking forward, the team's current plan is to drop support for Node.js 0.10 when its LTS maintenance window expires in October, 2016, and 0.12 when its maintenance / LTS window ends at the end of 2016. We will also drop support for Node.js 5.x when Node.js 6 becomes LTS and Node.js 7 is released, also in the October-December 2016 timeframe.
(Confused about Node.js's LTS policy? Don't be! If you look at this diagram, it should make all of the preceding clear.)
If, in practice, this doesn't work with distribution packagers or other community stakeholders responsible for packaging and distributing Node.js and npm, please reach out to us. Aligning the npm CLI's LTS policy with Node's helps everybody minimize the amount of work they need to do, and since all of our teams are small and very busy, this is somewhere between a necessity and non-negotiable.
4a1ecc0
Remove 0.8 from the Node.js testing matrix, and reorder to match real-world
priority, with comments. (@othiym23)It pains me greatly that we haven't been able to fix #5082 yet, but warning you away from potentially publishing incomplete packages takes priority over feeling cheesy about landing a warning to help keep y'all out of trouble, so here you go (please read this next bit (please clap)):
Publishing and packing are buggy under Node versions greater than 6.0.0. Please use Node.js LTS (4.4.x) to publish packages. See #5082 for details and current status.
1877171
#12873
Ignore .nyc_output. This will help avoid an accidental publish or commit filled with
code coverage data.
(@TheAlphaNerd)470ae86
#12983
Describe how to run the lifecycle scripts of dependencies. How you do
this changed with npm v2.
(@Tapppi)9cedf37
#12776
Remove mention of <pkg> arg for run-script.
(@fibo)55b8424
#12840
Remove sexualized language from comment.
(@geek)d6bf0c3
#12802
Small grammar fix in doc/cli/npm.md.
(@andresilveira)2c2c568
readable-stream@2.1.4: Brought up to date with Node 6.1.0's streams implementation.
(@calvinmetcalf)d682e64
npm/npm-user-validate#8
npm-user-validate@0.1.4: Add a maximum length limit for usernames based on
the (arbitrary) limit imposed by the primary npm registry.
(@aredridel)448b65b
which@1.2.10: Remove unused dependency is-absolute, bug fixes.
(@isaacs)7d15434
require-inject@1.4.0: Add requireInject.withEmptyCache and
requireInject.installGlobally.andClearCache to support loading modules to be
injected with an empty cache.
(@iarna)31845c0
init-package-json@1.9.4:
Replace use of reserved identifier package in, uh, the package.
(@adius)d73ef3e
glob@7.0.4: Use userland fs.realpath implementation to get glob working under Node 6.
(@isaacs)b47da85
inflight@1.0.5: Correct link to package repository, add "files" stanza.
(@iarna, @jamestalmage)04815e4
npm/npmlog#32
npmlog@2.0.4: Add "files" stanza to package.json.
(@jamestalmage)9e29ad2
wrappy@1.0.2: Add "files" stanza to package.json.
(@jamestalmage)44af4d4
abbrev@1.0.9 (@jorrit)6c977c0
npm-registry-client@7.1.2: Add support for newer versions of npmlog.
(@iarna)I have a couple of doc fixes and a shrinkwrap fix for you all this week.
55c998a
#5135
Fix a bug where peerDependencies & shrinkwraps didn't play nice together. (Where
the peerDependency resolver would end up installing its dep when it wasn't needed.)
(@majgis)node-gyp DOCS IMPROVEMENTS1826908
#12636
Improve npm-scripts documentation regarding when node-gyp is used.
(@reconbot)f9ff7f3
#12586
Correct package.json documentation as to when node-gyp rebuild called.
This now matches https://docs.npmjs.com/misc/scripts#default-values
(@reconbot)This is a minor LTS release, bringing dependencies up to date and updating our CI matrix to match what we support.
Some of the dependency updates come out of our getting the development branch's tests passing on Windows and so bring in fixes for a few Windows related corner cases.
f2f8753
which@1.2.8:
Properly handle relative path executables.
(@isaacs)e287ca9
read-package-json@2.0.4:
Fix Windows issue with ENOTDIR detection.
(@zkat)1a0ce6c
realize-package-specifier@3.0.3:
Use npa with windows fix.
Fix relative path resolution when the local file might also be a tag.
(@zkat)
(@iarna)a475c9a
lru-cache@4.0.1:
Use Symbol if available.
(@isaacs)7141e08
sorted-object@2.0.0
(@iamstarkov)27c6190
request@2.72.0
(@simov)ab90daf
readable-stream@2.1.2
(@calvinmetcalf)b1715f8
graceful-fs@4.1.4
(@isaacs)ca97de6
block-stream@0.0.9
(@isaacs)Gosh, it's been a peaceful couple of weeks!
Overall, the CLI team has been focused on the project to get the test suite passing on Windows. Our efforts should be paying off soon -- there's only a couple of tests left!
It's very unlikely those particular changes will make their way into our current
npm@2 LTS release, I think, but it will help npm@3 a lot, as well as
whatever version makes it into node@6, which will eventually be the next
Node.js LTS.
As far as this week goes, we've got a couple of dep updates and doc fixes. Always happy to see community contributions flying in. 💚
b178c4a
spdx-license-ids@1.2.1:
Minor project-related tweaks -- no license changes.
(@shinnn)1adf179
normalize-git-url@3.0.2:
Fixes file:// URLs on Windows. Turns out stuff like file://C:\hello is
actually fairly weird for a URL (it's not actually a valid URL, but we're just
gonna pretend.😉)
(@zkat)9cfd56c
fs-vacuum@1.2.9:
This one goes out to our fans at Big Blue: There was an AIX-specific issue
where fs.rmDir was failing with EEXIST instead of ENOTEMPTY with
non-empty directories.
(@richardlau)No seriously, we love these. Keep 'em comin'!
2afe8bf
#12415
Clarify that the --cert and --key options are actual certs and keys, not
paths to files containing them.
(@rvedotrc)3522560
#12107
Document npm login as an alias to npm adduser. People are still surprised
by this so often.
(@gnerkus)Hiiiiiii!~👋
We're really happy to be getting more and more community contributions! Keep it up! We really appreciate folks trying to help us, and we'll do our best to help point you in the right direction. Even things like documentation are a huge help. And remember -- you get socks for it, too!🎁
This week is as quiet as usual, aside from fixing a regression to npm
deprecate you might want to pay attention to! Other than that, just docs and
deps, as any good LTS release train should be. 🙆
6e0b66e
#11884
Include node_modules in the list of files and directories that npm won't
include in packages ordinarily. (Modules listed in bundledDependencies and
things that those modules rely on, ARE included of course.)
(@Jameskmonger)9896290
#12079
Back in npm@2.13.1 we included a patch that made it so npm install pkg
was basically npm install pkg@latest instead of
pkg@* This is probably what most
users expected, but it also ended up breaking npm
deprecate when no version was provided
for a package. In that case, we were using * to mean "deprecate all
versions" and relying on the pkg -> pkg@* conversion. This patch fixes
npm deprecate pkg to work as it used to by special casing that particular
command's behavior.
(@polm)6c1628f
#12146
Adds make doc-clean to prepublish script, to clear out previously built
docs before publishing a new npm version.
(@watilde)6d3017e
#12146
Adds doc-clean phony target to make publish.
(@watilde)d43921c
#12147
Document that the current behavior of engines is just to warn if the node
platform is incompatible.
(@reconbot)3cfe99e
#12093
Update bugs url in package.json to use the https URL for Github.
(@watilde)ecf865f
#12075
Add the --ignore-scripts flag to the npm install docs.
(@paulirish)f0e6db3
#12063
Various minor fixes to the html docs homepage.
(@watilde)It's always nice to see new contributors. 💚
This week sees another small release, but we're still chugging along on our Windows efforts.
There's also some small process changes to our LTS process relatively recently that you might wanna know about! 💁
For one, the 2.x branch was removed in favor of just lts. If you're making
PRs exclusively against npm's LTS, please use that name from now on. 2.x was
deleted.
Also, @othiym23 put some time into writing down our LTS process and policy. Check it out and ping us if you have questions or comments about it!
In general, we're trying to make sure all our policy and such for our contributors is written down, and we hope it makes it easier in general for y'all. Forrest is also working on a shiny new Contributor's Guide right now, but we'll link to that in the (near?) future, when it's ready to roll out.
1d0e468
#11931
Removes a bunch of old, disabled tests that have just been sitting around,
doing nothing.
(@othiym23)7ae8aa1
#11987
There was a failure in the outdated-symlink test caused by using the default
registry instead of the mock registry tests.
(@yodeyer)b2649fb
#12006
Access was Team and Team was Access, but someone from the community rolled
around and corrected it for us. Thanks a bunch!
(@yaelz)This release includes the fix for a vulnerability that could cause the unintentional leakage of bearer tokens.
Here are details on this vulnerability and how it affects you.
Since 2014, npm’s registry has used HTTP bearer tokens to authenticate requests from the npm’s command-line interface. A design flaw meant that the CLI was sending these bearer tokens with every request made by logged-in users, regardless of the destination of their request. (The bearers only should have been included for requests made against a registry or registries used for the current install.)
An attacker could exploit this flaw by setting up an HTTP server that could collect authentication information, then use this authentication information to impersonate the users whose tokens they collected. This impersonation would allow them to do anything the compromised users could do, including publishing new versions of packages.
With the fixes we’ve released, the CLI will only send bearer tokens with requests made against a registry.
If you believe that your bearer token may have been leaked, invalidate your
current npm bearer tokens and rerun
npm login to generate new tokens. Keep in mind that this may cause continuous
integration builds in services like Travis to break, in which case you’ll need
to update the tokens in your CI server’s configuration.
Maybe.
npm’s CLI team believes that the fix won’t break any existing registry setups. Due to the large number of registry software suites out in the wild, though, it’s possible our change will be breaking in some cases.
If so, please file an issue describing the software you’re using and how it broke. Our team will work with you to mitigate the breakage.
Thanks to Mitar, Will White & the team at Mapbox, Max Motovilov, and James Taylor for reporting this vulnerability to npm.
Aside from that, it's another one of those releases again! Docs and tests, it turns out, have a pretty easy time getting into LTS releases, and boring is exactly how LTS should be. 💁
981c89c
#11820
The basic explanation for how npm link works was a bit confusing, and
somewhat incorrect. It should be clearer now.
(@rhgb)35b2b45
#11787
The verison alias for npm version no longer shows up in the command list
when you do npm -h.
(@doug-wade)1c9d00f
#11786
Add a comment to the npm-scope.md docs about npm@>=2 being required in
order to use scoped packaged.
(@doug-wade)7d64fb1
#11762
Roll back patch that previously advised people to use --depth Infinity
instead of --depth 9999. Just keep using --depth 9999.
(@GriffinSchneider)98a9ee4
#11912
Did you know npm can install itself? npm install -g npm is the way to
upgrade! Turns out that one of the tests that verified this functionality got
rewritten as part of our recent push for better tests, and in the process
omitted a detail about how the test ran. We're testing that corner case
again, now, by moving the install folder to /tmp, where the original legacy
test ran.
(@iarna)A brief note about LTS this week!
npm, as you may know if you're using this 2.x branch, has an LTS process for
releases. We also try and play nice with Node.js' own LTS release
process. That means we generally try to
avoid things like minor version bumps on our 2.x branch (which is also tagged
lts in the dist-tags).
That said, we had a minor-bump update recently for npm@3.8.0 which added a
maxsockets option to allow users to configure the number of concurrent sockets
that npm would keep open at a time -- a setting that has the potential to help a
bunch for people with fussy routers or internet connections that aren't very
happy with Node.js applications' usual concurrency storm. This change was done
to npm-registry-client, which we don't have a parallel LTS-tracking branch
for.
After talking it over, we ended up deciding that this was a reasonable enough
addition to LTS, even though it's technically a semver-minor bump, taking
into account both its potential for bugfixing (specially on 2.x!) and the
general hassle it would be to maintain another branch for npm-registry-client.
6dd61e7
Expose maxsockets config setting from new npm-registry-client.
(@misterbyrne)8a021c3
npm-registry-client@7.1.0:
Adds support for configuring the max number of concurrent sockets, defaulting
to 50.
(@iarna)0ae9f74
#11748
Add command aliases as a separate section in documentation for npm
subcommands.
(@watilde)bfc3888
strip-ansi@3.0.1
(@jbnicolai)d5f4d51
node-gyp@3.3.1: Fixes Android generator
(@bnoordhuis)4119df8
glob@7.0.3: Some path-related fixes for Windows.
(@isaacs)This week is all documentation improvements. In case you hadn't noticed, we love doc patches. We love them so much, we give socks away if you submit documentation PRs!
These folks are all getting socks if they ask for them. The socks are super-sweet. Do you have yours yet? 👣
3f3c7d0
#11441
Add a link to the Contribution
Guidelines to the
main npm docs.
(@watilde)9f87bb1
#11441
Remove Google Group email from npm docs about contributing.
(@watilde)93eaab3
#11474
Fix an invalid JSON error overlooked in
#11196.
(@robludwig)a407ca2
#11483
Add more details and an example to the documentation for bundledDependencies.
(@gnerkus)2c851a2
#11490
Document the --registry flag for npm search.
(@plumlee)Good news, everyone! There's a new LTS release with a few shinies here and there!
We had some cases where the versions of npm and node used in some scripting situations were different than the ideal, or what folks actually expected. These should be particularly helpful to our Windows friends! <3
02813c5 #9253 Fix a bug where, when running lifecycle scripts, if the Node.js binary you ran npm with wasn't in your PATH, npm wouldn't use it to run your scripts. (@segrey and @narqo)a985dd5 #11526 Prefer locally installed npm in Git Bash -- previous behavior was to use the global one. This was done previously for other shells, but not for Git Bash. (@destroyerofbuilds)f961092
#11636.
Document the --save-bundle option for npm install.
(@datyayu)7c908b6
#11644
Add documentation for the test directory for packages.
(@lewiscowper)The npm CLI team's time recently has been sunk into npm's many years of tech debt. Specifically, we've been working on improving the test suite. This isn't user visible, but in future should mean a more stable, easier to contribute to npm. Ordinarily we don't report these kinds of changes in the change log, but I thought I might share this week as this chunk is bigger than usual.
These patches were previously released for npm@3, and then ported back to npm@2 LTS.
437c537 #11613 Fix up one of the tests after rebasing the legacy test rewrite to npm@2. (@zkat)55abd0c #11613 Test that the package.json files section and .npmignore do what they're supposed to. (@zkat)a2b99b6 #11613 Test that npm's distribution binary is complete and can be installed and used. (@iarna)8a8c36c #11613 Test that environment variables are properly passed into scripts.
(@iarna)a95b550 #11613 Test that we don't leak auth info into the environment. (@iarna)a1c1c52 #11613 Remove all the relatively cryptic legacy tests and creates new tap tests that check the same functionality. The legacy tests were tests that were originally a shell script that was ported to javascript early in npm's history. (@iarna and @zkat)9d89581 #11613 tacks@1.0.9: Add a package that provides a tool to generate fixtures from folders and, relatedly, a module that an create and tear down filesystem fixtures easily. (@iarna)Hope y'all are having a nice week! As usual, it's a fairly limited release. The most notable thing is some dependency updates that might help the Node.js CI setup for Windows run a little better, even if we have some work to do on that path length things, still.
So for all of you who don't know -- Node.js does, in fact, support long Windows paths. Unfortunately, depending on the tool and the Windows version, a lot of external tooling does not. This means, for example, that some (all?) versions of Windows Explorer can literally never delete npm from their system entirely because of deeply-nested npm dependencies. Which is pretty gnarly.
Incidentally, if you run into that in particularly, you can use rimraf to remove such files 💁.
The latest victim of this issue was the Node.js CI setup for testing on Windows, which uses some tooling or another that croaks on the usual path length limit for that OS: 255 characters.
This issue, of course, is largely not a problem as of npm@3, with its flat
trees, but it still occasionally and viciously bites LTS.
We've taken another baby step towards alleviating this in this release by
updating a couple of dependencies that were preventing npmlog from deduping,
and then doing a dedupe on that and gauge. Hopefully it helps.
4199551
#11528
npm-install-checks@1.0.7: Just updates the version of npmlog so we can
dedupe it better.
(@zkat)14d72c7
#11552
#11528
node-gyp@3.3.0: AIX support, new gyp, update npmlog (for the dedupe),
adds --cafile command line option, and allows configuration of Node.js and
io.js mirrors.
(@rvagg)0453cb9
#11528
Do a dedupe on gauge to flatten our dependencies a bit more.
(@zkat)7232948
#11416
Logout docs were using a section copy-pasted from the adduser docs.
(@wyze)922b33a
#11414
Add colon for consistency.
(@wyze)Really tiny micro-release this week! The main thing to note is a dependency
update that means we no longer have graceful-fs@3 in our dependency tree. This
has some implications for being able to run on future Node.js releases, so
better to get this out the door. 😁
a556e0f
cmd-shim@2.0.2: Final straggler using graceful-fs@<4.
(@ForbesLindesay)69a2d59
#11391
Fixed versions of shrinkwrap.json in examples in documentation for npm
shrinkwrap, which did not quite match up.
(@xcatliu)Clearly our docs are perfect after all those wonderful PRs, 'cause this week's gonna be all about dependency updates. Note: There is a small security-related fix included here!
5c095ef
#11341
request@2.69.0: Includes security-related dependency updates involving
hawk and is-my-json-valid
(@remy and @simov)f9c2668
which@1.2.4
(@isaacs)2907c43
spdx-license-ids@1.2.0
(@shinnn)7734069
rimraf@2.5.1
(@isaacs)f4b39a7
retry@0.9.0
(@tim-kos)ded1e7a
Nest retry@0.8.0 inside npm-registry-client to prevent invalid
dependency issue until the latter gets a dependency update.
(@zkat)ab9f867
read-package-json@2.0.3
(@iarna)b638c41
npmlog@2.0.2
(@iarna)49f34af
init-package-json@1.9.3
(@iarna)2305dab
graceful-fs@4.1.3: Fixed .close() not being patched.
(@isaacs)18496d9
fs-write-stream-atomic@1.0.8
(@iarna)6637bc7
config-chain@1.1.10
(@dominictarr)4222bad
columnify@1.5.4
(@timoxley)df9016f
ansi@0.3.1: Added a license file.
(@TooTallNate)Another week, another small LTS release!
So as it turns out, when stuff goes wrong, it's actually nice to give people a better clue rather than just say "oh well 😏".
5b8ccb9
#11289
There is an obscure feature that lets you monkey-patch npm when it starts up.
If the module being required with this feature failed, it would previous just
make npm error out– this reduces that to a warning.
(@evanlucas)556e42a
#11300
Report symlinked packages as 'linked' in the output for npm outdated.
(@halhenke)3842317
#11290
Suppress warnings about pre-release node versions. This should get node's CI
passing on non-Windows platforms without needing to modify the node version to
get rid of the pre-release suffix.
(@iarna)Did you know that you can get npm socks for contributing to our docs? I bet these people do, and now so do you!
dcde451
#11232
Update automatically included/excluded packages in package.json.
(@jscissr)e3f8d5b
#11273
Add an example for npm view <pkg> versions.
(@vedatmahir)6a06ef2
#11272
Fix a typo in npm-update.md.
(@jonathanp)2515ff1
#11215
Correct small thinko in docs for SPDX expressions.
(@kemitchell)70f897b
#11196
Make JSON snippets valid JSON in npm update docs.
(@s100)Good to see you all again! It's been a while since we had an LTS release, and the team continues to work hard to both get the issue tracker under control, and get our test suite to be awesome and reliable.
This is also the first LTS release of this year.
We're gonna have an interesting time -- most of our focus this year will be around stability and maintainability of the CLI, so you might actually end up seeing a number of updates even over here, just for the sake of making sure we're stable, that bugs get fixed, and tests have proper coverage.
What better way to start this effort, then, than getting Travis tests green, fix a few things here and there, and tweak a bunch of documentation? 😁
24b13fb
#11158
Fix custom node-gyp env var quoting on Windows.
(@orangemocha)e2503f2
#11142
Fix race condition with correctMkdir in the cache directory.
(@Jimbly)
5c0e4c4
#10940
Ignore failures replacing package.json. writeFileAtomic is not atomic in
Windows, it fails if the file is being accessed concurrently.
(@orangemocha)
2c44d8d
#10903
Add tests for npm adduser --scope.
(@ekmartin)
4cb25d0
#10903
Add a message informing users when they have been successfully logged in.
(@ekmartin)
fe3ec6d
#10628
Tell users how to open an issue with a package that has errored.
(@trodrigues)
We got a TON of lovely documentation patches, too! Thanks all for submitting!
22482a1
#11188
Briefly explain what's included when you publish.
(@beaugunderson)fa47724
#11150
Advise use of --depth Infinity instead of --depth 9999 in npm update.
(@halhenke)248ddfe
#11130
Nuke "using npm programmatically" section from README. The programmatic npm
API is unsupported, and is not guaranteed not to break in non-major versions.
Removing this section so newcomers aren't encouraged to discover or use it.
(@ljharb)ae9c452
#11128
Add link to local paths section indocs for package.json.
(@orangejulius)663a8c6
#11044
Update default value documentation for the color option in npm's config.
(@scottaddie)5c1dda0
#11037
Correct the name property max length constraint verbiage.
(@scottaddie)8288365
#10990
Update folder docs to reflect that process.installPrefix was removed as of
0.8.x.
(@jeffmcmahan)61d63fa
#10790
Clarify that npm install foo is the same as npm install foo@latest now.
(@cvrebert)442c920
#10789
Link over to npm-dist-tag(1) in npm install docs when they talk about the
pkg@<tag> syntax.
(@cvrebert)dca7a5e
#10788
Link to tag docs in docs for npm publish --tag.
(@cvrebert)a72904e
#10787
Explain why the latest tag matters.
(@cvrebert)9d0697a
#10785
Replace some quite marks in npm dist-tag docs for the sake of consistency.
(@cvrebert)So Travis is all green now on npm@2, thanks to the removal of nock and a few
other test suite tweaks. This is a fantastic step towards making sure we can all
have confidence in our test suite! 🎉
64995be 75ab216 a9f6fe9 649c193 94cb05e 6541690 255be6f 9e84fa4 8a587b0 bf812a5
#10903
Get rid of nock from tests, and get Travis green.
(@zkat and @iarna)70a5310
npm-registry-couchapp@2.6.12:
Better 0.8 compatibility, and ability to run in travis docker stuff. This
means the test suite should run a lot faster, too!
(@iarna)28fae39
Get rid of sudo, for Travis!
(@zkat)Did you know that Bob Ross reached the rank of master sergeant in the US Air Force before becoming perhaps the most soothing painter of all time?
f482664
#10505 npm ls --json --depth=0
now respects the depth parameter, when it is zero and when it is not zero.
(@MarkReeder)529fa1f
#9099 I had always thought you
could run npm version from subdirectories in your project, which is great,
because now you can. I guess I was just ahead of my time.
(@ekmartin)1fc7f2b
#10546 Goodbye, FAQ! You were
cheeky and fun until you weren't! Don't worry: npm still loves everyone,
especially you! (@ashleygwilliams)7fe6950
#10570 Update documentation URLs
to be HTTPS everywhere sensible. No HTTP shall be spared!
(@rsp)96ebb90
#10650 Correctly note that there
are two lifecycle scripts run by an install phase in an example, instead of
three. (@eymengunay)5196893
#10687 npm outdated's output can
be a little puzzling sometimes. I've attempted to make it clearer, with some
examples, of what's going on with "wanted" and "latest" in more cases.
(@othiym23)8e6712d
#10700 Hey, do you remember when
search.npmjs.org was a thing? I think I do? The last time I used it was in
like 2012, and it's gone now, so remove it from the docs.
(@gagern)27d2612
semver@5.1.0: Include BNF for SemVer expression grammar (which is also now
included in npm help semver). (@isaacs)fc6c3c5
request@2.67.0 (@simov)07013fd
isaacs/rimraf#89 rimraf@2.4.4
(@zerok)bc149be
isaacs/once#7 once@1.3.3
(@floatdrop)ac598d3
lru-cache@3.2.0 (@isaacs)1b915ce
npm-registry-client@7.0.9 (@othiym23)df7dd78
tap@2.3.1 (@isaacs)The license incorrectly identified the registry URL as registry.npmjs.com and
this has been corrected to registry.npmjs.org.
6051a69
#10685
Fix npm public registry URL in notices.
(@kemitchell)We updated modules that had been using MD5 for non-security purposes. While this is perfectly safe, if you compile Node in FIPS-compliance mode it will explode if you try to use MD5. We've replaced MD5 with Murmur, which conveys our intent better and is faster to boot.
30b5994
#10629
write-file-atomic@1.1.4
(@othiym23)68c63ff
#10629
fs-write-stream-atomic@1.0.5
(@othiym23)e48e5a9
nodejs/node-gyp#831
node-gyp@3.2.1: Improved *BSD support.
(@bnoordhuis)npm-the-CLI is licensed under the terms of the Artistic License 2.0, which is a liberal open-source license that allows you to take this code and do pretty much whatever you like with it (that is, of course, not legal language, and if you're doing anything with npm that leaves you in doubt about your legal rights, please seek the review of qualified counsel, which is to say, not members of the CLI team, none of whom have passed the bar, to my knowledge). At the same time the primary registry the CLI uses when looking up and downloading packages is a commercial service run by npm, Inc., and it has its own Terms of Use.
Aside from clarifying the terms of use (and trying to make sure they're more
widely known), the only recent changes to npm's licenses have been making the
split between the CLI and registry clearer. You are still free to do whatever
you like with the CLI's source, and you are free to view, download, and publish
packages to and from registry.npmjs.org, but now the existing terms under
which you can do so are more clearly documented. Aside from the two commits
below, see also the release notes for
npm@2.14.11, which is where
the split between the CLI's code and the terms of use for the registry was
first made more clear.
1f3e936
#10532 Clarify that
registry.npmjs.org is the default, but that you're free to use the npm CLI
with whatever registry you wish. (@kemitchell)6733539
#10532 Having semi-duplicate
release information in README.md was confusing and potentially inaccurate,
so remove it. (@kemitchell)It turns out that a fair number of us use bash on Windows (through MINGW or bundled with Git, plz – Cygwin is still a bridge too far, for both npm and Node.js). @jakub-g did us all a favor and relaxed the check for npm completion to support MINGW bash. Thanks, Jakub!
333e118
node-gyp@3.2.0: Support AIX, use which to find Python, updated to a newer
version of gyp, and more! (@bnoordhuis)1f4b4bb
Removed spdx as a direct npm dependency, since we don't actually need it at
that level, and updated subdeps for validate-npm-package-license
(@othiym23)These are great! Keep them coming! Sorry for letting them pile up so deep, everybody. Also, a belated Thanksgiving to our Canadian friends, and a happy Thanksgiving to all our friends in the USA.
6101f44
#10250 Correct order of org:team
in npm team documentation. (@louislarry)e8769f9
#10371 Remove broken / duplicate
link to tag. (@WickyNilliams)1ae2dbe
#10419 Remove references to
nonexistent npm-rm(1) documentation. (@KenanY)777a271
#10474 Clarify that install finds
dependencies in package.json. (@sleekweasel)dcf4b5c
#10497 Clarify what a package is
slightly. (@aredridel)447b3d6
#10539 Remove an extra, spuriously
capitalized letter. (@alexlukin-softgrad)This week heralds the general release of the primary npm registry's new support for private packages for organizations. For many potential users, it's the missing piece needed to make it easy for you to move your organization's private work onto npm. And now it's here! The functionality to support it has been in place in the CLI for a while now, thanks to @zkat's hard work.
During our final testing before the release, our ace support team member @snopeks noticed that there had been some drift between the CLI team's implementation and what npm was actually preparing to ship. In the interests of everyone having a smooth experience with this extremely useful new feature, we quickly made a few changes to square up the CLI and the web site experiences.
0e8b15e
#9327 npm access no longer has
problems when run in a directory that doesn't contain a package.json.
(@othiym23)c4e939c
npm/npm-registry-client#126
npm-registry-client@7.0.8: Allow the CLI to grant, revoke, and list
permissions on unscoped (public) packages on the primary registry.
(@othiym23)We don't often have much to say about the changes we make to our internal testing and tooling, but I'm going to take this opportunity to reiterate that npm tries hard to maintain compatibility with a wide variety of Node versions. As this change shows, we want to ensure that npm works the same across:
Contributors who send us pull requests often notice that it's very rare that our tests pass across all of those versions (ironically, almost entirely due to the packages we use for testing instead of any issues within npm itself). We're currently beginning an effort, lasting the rest of 2015, to clean up our test suite, and not only get it passing on all of the above versions of Node.js, but working solidly on Windows as well. This is a compounding form of technical debt that we're finally paying down, and our hope is that cleaning up the tests will produce a more robust CLI that's a lot easier to write patches for.
When you run npm install foo, you probably expect that you'll get the
latest version of foo, whatever that is. And good news! That's what this
change makes it do.
We think this is what everyone wants, but if this causes problems for you, we
want to know! If it proves problematic for people we will consider reverting it
(preferably before this becomes npm@latest).
Previously, when you ran npm install foo we would act as if you typed npm
install foo@*. Now, like any range-type specifier, in addition to matching the
range, it would also have to be <= the value of the latest dist-tag.
Further, it would exclude prerelease versions from the list of versions
considered for a match.
This worked as expected most of the time, unless your latest was a prerelease
version, in which case that version wouldn't be used, to everyone's surprise.
54a9046
#10326 Clarify what-all is covered
by npm's license and point to the registry's terms of use.
(@kemitchell)28efd3d
#10232 nock@1.9.0: Downgrade
nock to a version that doesn't depend on streams2 in core so that more of our
tests can pass in 0.8. (@iarna)eacac8f
#9965 Fix a corrupt package.json
file introduced by a merge conflict in
022691a.
(@waynebloss)ea7d8e0
npm/nopt#51 nopt@3.0.6: Allow
types checked to be validated by passed-in name in addition to the JS name of
the type / class. (@wbecker)There's nothing in here that that isn't in the npm@3.4.0 release notes, but
all of the commit shasums have been adjusted to be correct. Enjoy!
204c558
#8640
npm/normalize-package-data#69
normalize-package-data@2.3.5: Fix a bug where if you didn't specify the
name of a scoped module's binary, it would install it such that it was
impossible to call it.  (@iarna)bbdf4ee
npm/fstream-npm#14
fstream-npm@1.0.7: Only filter config.gypi when it's in the build
directory.  (@mscdex)d82ff81
npm/fstream-npm#15
fstream-npm@1.0.6: Stop including directories that happened to have names
matching whitelisted npm files in npm module tarballs. The most common cause
was that if you had a README directory then everything in it would be
included if wanted it or not. (@taion)16361d1
#10036 Fix typo / over-abbreviation.
(@ifdattic)d1343dd
#10176 Fix broken link, scopes =>
scope.  (@ashleygwilliams)110663d
#9460 Specifying the default command
run by "npm start" and the fact that you can pass it arguments.
(@JuanCaicedo)7476d2d
npm/npmlog#19
npmlog@2.0.0: Make it possible to emit log messages with error as the
prefix.
(@bengl)6ca7888
read-package-json@2.0.2: Minor cleanups.
(@KenanY)There's still life in npm@2, but for now, enjoy these dependency upgrades!
Also, @othiym23 says hi! waves
@zkat has her hands full, and
@iarna's handling npm@3, so I'm dealing with
npm@2 and the totally nonexistent weird bridge npm@1.4 LTS release that may
or may not be happening this week.
f52f0cb
#10150 chmodr@1.0.2: Use
fs.lstat() to check if an entry is a directory, making chmodr() work
properly with NFS mounts on Windows. (@sheerun)f7011d7
#10150 which@1.2.0: Additional
command-line parameters, which is nice but not used by npm.
(@isaacs)ebcc0d8
#10150 minimatch@3.0.0: Don't
package browser version. (@isaacs)8c98dce
#10150 fstream-ignore@1.0.3:
Upgrade to use minimatch@3 (for deduping purposes).
(@othiym23)db9ef33
#10150 request@2.65.0:
Dependency upgrades and a few bug fixes, mostly related to cookie handling.
(@simov)dfbf621
#10150 tap@2.2.0: Better
handling of test order handling (including some test fixes for npm).
(@isaacs)cf5ad5a
#10150 nock@2.16.0: More
expectations, documentation, and bug fixes.
(@pgte)OS&F is definitely my favorite convention I've gone to. Y'all should check it out next year! Rebecca and Kat are back, although Forrest is out at &yet conf.
This week sees another tiny LTS release with non-code-related patches -- just CI/release things.
Meanwhile, have you heard? npm@3 is much faster now! Go upgrade with npm
install -g npm@latest and give it a whirl if you haven't already!
Seriously. I love me some case-sensitive filesystems, but a lot of us have to
deal with git and its funky support for case normalizing systems. Have mercy
and just don't bother if all you're changing is casing, please? Otherwise, I
have to do this little dance to prevent horrible conflicts.
c3a7b61
#9804 Remove the readme file with
weird casing.
(@zkat)f3f619e
#9804 Add the readme file back in,
with desired casing.
(@zkat)Either way, it's nice to make sure we're running stuff on the latest Node. 4.2
is getting released very soon, though (this week?), and that'll be the first
official LTS release!
Hi all, and greetings from Open Source & Feelings!
So we're switching gears a little with how we handle our weekly releases: from now on, we're going to stagger release weeks between dependency bumps and regular patches. So, this week, aside from a doc change, we'll be doing only version bumps. Expect actual patches next week!
So I snuck this in, because it's our own @snopeks'
first contribution to the main npm repo. She's been helping with building
support documents for Orgs, and contributed her general intro guide to the new
feature so you can read it with npm help orgs right in your terminal!
Anyway -- here's your version bump! :)
4aeb94c
request@2.64.0: No longer defaulting to application/json for json
requests. Also some minor doc and packaging patches.
(@simov)
minimatch@3.0.0: No longer packaging browser modules.
(@isaacs)a18b213
glob@5.0.15: Upgraded minimatch dependency.
(@isaacs)9eb64d4
nock@2.13.0
(@pgte)¯\_(ツ)_/¯Since 2.x is LTS now, you can expect a slowdown in overall release sizes. On
top of that, we had our all-company-npm-internal-conf thing on Monday and
Tuesday so there wasn't really time to do much at all.
Still, we're bringing you a couple of tiny little changes this week!
7b7da13
#9471 When the port for a tarball is
different than the registry it's in, but the hostname is the same, the
protocol is now allowed to change, too.
(@fastest963)6643ada
request@2.63.0: Use application/json as the default content type when
making json requests.
(@simov)That's right folks. As of this week, npm@next is npm@3, which means it'll be
npm@latest next week! There's some really great shiny new things over there,
and you should really take a look.
Many kudos to @iarna for her hard work on npm@3!
Don't worry, we'll keep 2.x around for a while (as LTS), but you won't see
many, if any, new features on this end. From now on, we're going to use
latest-2 and next-2 as the dist tags for the npm@2 branch.
Yes! Specially if you're using scoped packages. Apparently, deprecating them never worked, but that should be better now. :)
eca7b24
#9558 Add tests for npm deprecate.
(@zkat)648fe16
#9558 npm-registry-client@7.0.7:
Fixes npm deprecate so you can actually deprecate scoped modules now (it
never worked).
(@zkat)node-wafidk. Some old thing. We don't talk about it anymore.
cf1b39f
#9584 Fix ancient references to
node-waf in the docs to refer to the node-gyp version of things.
(@KenanY)graceful-fs AND node-gyp SAGA CONTINUESLast week had some sweeping graceful-fs upgrades, and this takes care of one
of the stragglers, as well as bumping node-gyp. node@4 users might be
excited about this, or even node@<4 users who previously had to cherry-pick a
bunch of patches to get the latest npm working.
e07354f
sha@2.0.1: Upgraded graceful-fs!
(@ForbesLindesay)83cb6ee
node-gyp@3.0.3
(@rvagg)0d60888
normalize-package-data@2.3.4: Use an external package to check for built-in
node modules.
(@sindresorhus)79b4dac
retry@0.8.0
(@tim-kos)c164941
request@2.62.0: node 4 added to build targets. Option initialization issues
fixed.
(@simov)0fd878a
lru-cache@2.7.0: Cache serialization support and fixes a cache length bug.
(@isaacs)6a7a114
nock@2.12.0
(@pgte)6b25e6d
semver@5.0.3: Removed uglify-js dead code.
(@isaacs)So Node 4 is out now and that's
going to involve a number of things over in npm land. Most importantly, it's the
last major release that will include the 2.x branch of npm. That also means
that 2.x is going to go into LTS mode in the coming weeks -- once npm@3
becomes our official latest release. You can most likely expect Node 5 to
include npm@3 by default, whenever that happens. We'll go into more detail
about LTS at that point, as well, so keep your eyes peeled for announcements!
Node 4 being released means that a few things that used to be floating patches are finally making it right into npm proper. This week, we've got two such updates, both to dependencies:
505d9e4
node-gyp@3.0.1: Support for node nightlies and compilation for both node and
io.js without extra patching
(@rvagg)@thefourtheye was kind enough to submit a
bunch of PRs to npm's dependencies updating them to graceful-fs@4.1.2, which
mainly makes it so we're no longer monkey-patching fs. The following are all
updates related to this:
10cb189
write-file-atomic@1.1.3
(@thefourtheye)edfb80b
tar@2.2.1
(@thefourtheye)aa6e1ee
read-package-json@2.0.1
(@thefourtheye)18971a3
read-installed@4.0.3
(@thefourtheye)a4cba71
fstream@1.0.8
(@thefourtheye)70a38e2
fs-write-stream-atomic@1.0.4
(@thefourtheye)9cbd20f
fs-vacuum@1.2.7
(@thefourtheye)c4dd521
#9506 Make npm link work on
Windows when using node pre-release/RC releases.
(@jon-hall)b6bc29c
#9544 process.binding is being
deprecated, so our only direct usage has been removed.
(@ChALkeR)d940594
tap@1.4.1
(@isaacs)ee38486
which@1.1.2: Added tests for Windows-related dead code that was previously
helping a silent failure happen.  Travis stuff, too.
(@isaacs)475daf5
#9492 Clarify how .npmignore and
.gitignore are found and used by npm.
(@addaleax)b2c391d
nopt@3.0.4: Minor clarifications to docs about how array and errors work.
(@zkat)Our closed beta for Teens and Orcs is happening! The web team is hard at work making sure everything looks pretty and usable and such. Once we fix things stemming from that beta, you can expect the feature to be available publicly. Some time after that, it'll even be available for free for FOSS orgs. It'll Be Done When It's Done™.
Looks like last week's release foiled our own test suite when trying to upstream
it to Node! Just a friendly reminder that no, .npmrc is no longer included
then you pack/release a package! @othiym23 and
@isaacs managed to suss the really strange test
failures resulting from that, and we've patched it in this release.
01a3428
#9476 test: Recreate missing
.npmrc files when missing so downstream packagers can run tests on packed
npm.
(@othiym23)No actual dep updates this week, but we're bumping a couple of devDeps:
8454835
tap@1.4.0: Add t.contains() as alias to t.match()
(@isaacs)13d2216
deep-equal@1.0.1: Make null == undefined in non-strict mode
(@isaacs)preferGlobal WARNING RIGHTSo apparently the preferGlobal option hasn't quite been warning correctly for
some time. But now it should be all better! tl;dr: if you try and install a
dependency with preferGlobal: true, and it's not already in your
package.json, you'll get a warning that the author would really rather you
install it with --global. This should prevent Windows PowerShell from thinking
npm has failed just because of a benign warning.
bbb25f3
#8841
#9409 The preferGlobal
warning shouldn't happen if the dependency being installed is listed in
devDependencies. (@saper)222fcec
#9409 preferGlobal now prints a
warning when there are no dependencies for the current package.
(@zkat)5cfed6d
#9409 Verify that
preferGlobal is warning as expected (when a preferGlobal dependency is
installed, but isn't listed in either dependencies or devDependencies).
(@zkat)eeafce2
validate-npm-package-license@3.0.1: Include additional metadata in parsed license object,
useful for license checkers. (@kemitchell)1502a28
normalise-package-data@2.3.2: Updated to use validate-npm-package-license@3.0.1.
(@othiym23)cbde823
init-package-json@1.9.1: Add a silent option to suppress output on writing the
generated package.json. Also, updated to use validate-npm-package-license@3.0.1.
(@zkat)08fda46
tar@2.2.0: Minor improvements. (@othiym23)dc2f20b
rimraf@2.4.3: EPERM now triggers a delay / retry loop (since Windows throws
this when things still hold a handle). (@isaacs)e8acb27
read@1.0.7: Fix licensing ambiguity. (@isaacs)73a1ee0
#9386 Include additional unignorable files in
documentation.
(@mjhasbach)0313e40
#9396 Improve the EISDIR error
message returned by npm's error-handling code to give users a better hint of
what's most likely going on.  Usually, error reports with this error code are
about people trying to install things without a package.json.
(@KenanY)2677457
#9360 Make it easier to run
only some of npm tests with lifecycle scripts via npm tap test/tap/testname.js.
(@iarna)There are patches for two information leaks of moderate severity in npm@2.14.1:
config.gypi, a
file created by node-gyp that is a cache of environmental information
regenerated on every run) containing the bearer tokens used to authenticate
users to the registry. Users with affected packages have been notified (and
the affected tokens invalidated), and now npm has been modified to not
upload files that could contain this information, as well as scrubbing the
sensitive information out of the environment passed to child scripts..npmrc files are used by some maintainers as a way to scope
those packages to a specific registry and its credentials. This is a
reasonable use case, but by default .npmrc was packed into packages,
leaking those credentials.  npm will no longer include .npmrc when packing
tarballs.If you maintain packages and believe you may be affected by either
of the above scenarios (especially if you've received a security
notification from npm recently), please upgrade to npm@2.14.1 as
soon as possible. If you believe you may have inadvertently leaked
your credentials, upgrade to npm@2.14.1 on the affected machine,
and run npm logout and then npm login. Your access tokens will be
invalidated, which will eliminate any risk posed by tokens inadvertently
included in published packages. We apologize for the inconvenience this
causes, as well as the oversight that led to the existence of this issue
in the first place.
Huge thanks to @ChALkeR for bringing these issues to our attention, and for helping us identify affected packages and maintainers. Thanks also to the Node.js security working group for their coördination with the team in our response to this issue. We appreciate everybody's patience and understanding tremendously.
b9474a8
fstream-npm@1.0.5: Stop publishing build cruft (config.gypi) and per-project
.npmrc files to keep local configuration out of published packages.
(@othiym23)13c286d
#9348 Filter "private"
(underscore-prefixed, even when scoped to a registry) configuration values
out of child environments. (@othiym23)e40e71f
#6412 Improve the search strategy
used by the npm shims for Windows to prioritize your own local npm installs.
npm has really needed this tweak for a long time, so hammer on it and let us
know if you run into issues, but with luck it will Just Work.
(@joaocgreis)204ebbb
#8751
#7333 Keep autorun
scripts from
interfering with npm package and lifecycle script execution on Windows by
adding /d and /s when invoking cmd.exe.
(@saper)286f3d9
#9201 For a while npm was building
HTML partials for use on docs.npmjs.com, but we
weren't actually using them. Stop building them, which makes running the full
test suite and installation process around a third faster.
(@isaacs)This release adds support for teens and orcs (err, teams and organizations) to the npm CLI! Note that the web site and registry-side features of this are still not ready for public consumption.
A beta should be starting in the next couple of weeks, and the features themselves will become public once all that's done. Keep an eye out for more news!
All of these changes were done under #9011:
6424170
Added new npm team command and subcommands.
(@zkat)52220d1
Added documentation for new npm team command.
(@zkat)4e66830
Updated npm access to support teams and organizations.
(@zkat)ea3eb87
Gussied up docs for npm access with new commands.
(@zkat)6e0b431
Fix up npm whoami to make the underlying API usable elsewhere.
(@zkat)f29c931
npm-registry-client@7.0.1: Upgrade npm-registry-client API to support
team and access calls against the registry.
(@zkat)c977e12
init-package-json@1.8.0: Checks for some npm@3 metadata.
(@iarna)5c8c9e5
columnify@1.5.2: Updated some dependencies.
(@timoxley)5d56742
chownr@1.0.1: Tests, docs, and minor style nits.
(@isaacs)This is another quiet week for the npm@2 release.
@zkat has been working hard on polishing the CLI
bits of the registry's new feature to support direct management of teams and
organizations, and @iarna continues to work through
the list of issues blocking the general release of npm@3, which is looking
more and more solid all the time.
@othiym23 and @zkat have also been at this week's Node.js / io.js collaborator summit, both as facilitators and participants. This is a valuable opportunity to get some face time with other contributors and to work through a bunch of important discussions, but it does leave us feeling kind of sleepy. Running meetings is hard!
What does that leave for this release? A few of the more tricky bug fixes that have been sitting around for a little while now, and a couple dependency upgrades. Nothing too fancy, but most of these were contributed by developers like you, which we think is swell. Thanks!
d7271b8
#4530 The bash completion script
for npm no longer alters global completion behavior around word breaks.
(@whitty)c9ce294
#7198 When setting up dependencies
to be shared via npm link <package>, only run the lifecycle scripts during
the original link, not when running npm link <package> or npm install
--link against them. (@murgatroid99)422da66
#9108 Clear up minor confusion
around wording in bundledDependencies section of package.json docs.
(@derekpeterson)6b42d99
#9146 Include scripts that run for
preversion, version, and postversion in the section for lifecycle
scripts rather than the generic npm run-script output.
(@othiym23)91a48bb
chmodr@1.0.1: Ignore symbolic links when recursively changing mode, just
like the Unix command. (@isaacs)4bbc86e
nock@2.10.0 (@pgte)Hey everyone! I hope you've had a great week. We're having a fairly small release this week while we wrap up Teams and Orgs (or, as we've taken to calling it internally, Teens and Orcs).
In other exciting news, a bunch of us are gonna be at the Node.js Collaborator Summit, and you can also find us at wafflejs on Wednesday. Hopefully we'll be seeing some of you there. :)
So here it is. The patch. Hope it helps. (Thanks, @ktarplee!)
Hooray.
It's pretty hard to outdo last week's release buuuuut~ I promise I'll have a treat when we release our shiny new Teams and Organizations feature! :D (Coming Soon™). It'll be a real gem.
That means it's a pretty low-key release this week. We got some nice documentation tweaks, a few bugfixes, and other such things, though!
Oh, and a bunch of version bumps. Thanks, semver!
2fac6ae
#9012 A convenience for releases --
using the globally-installed npm before now was causing minor annoyances, so
we just use the exact same npm we're releasing to build the new release.
(@zkat)There's a couple of doc updates! The last one might be interesting.
4cd3205
#9002 Updated docs to list the
various files that npm automatically includes and excludes, regardless of
settings.
(@SimenB)cf09e75
#9022 Document the "access" field
in "publishConfig". Did you know you don't need to use --access=public
when publishing scoped packages?! Just put it in your package.json!
Go refresh yourself on scopes packages by checking our docs on them.
(@boennemann)bfd73da
#9013 fixed typo in changelog
(@radarhere)Basically, semver is up to @5, and that meant we needed to go in an update a
bunch of our dependencies manually. node-gyp is still pending update, since
it's not ours, though!
9232e58
#8972 init-package-json@1.7.1
(@othiym23)ba44f6b
#8972 normalize-package-data@2.3.1
(@othiym23)3901d3c
#8972 npm-install-checks@1.0.6
(@othiym23)ffcc7dd
#8972 npm-package-arg@4.0.2
(@othiym23)7128f9e
#8972 npm-registry-client@6.5.1
(@othiym23)af28911
#8972 read-installed@4.0.2
(@othiym23)3cc817a
#8972 node-gyp needs its own version
of semver
(@othiym23)f98eccc
#8972 semver@5.0.1: Stop including
browser builds.
(@isaacs)And some other version bumps for good measure.
254ecfb
#8990 marked-man@0.1.5: Fixes an
issue with documentation rendering where backticks in 2nd-level headers would
break rendering (?!?!)
(@steveklabnik)79efd79
minimatch@2.0.10: A pattern like '*.!(x).!(y)' should not match a name
like 'a.xyz.yab'.
(@isaacs)39c7dc9
request@2.60.0: A few bug fixes and doc updates.
(@simov)72d3c3a
rimraf@2.4.2: Minor doc and dep updates
(@isaacs)7513035
nock@2.9.1
(@pgte)3d9aa82
Fixes this thing where Kat decided to save nock as a regular dependency ;)
(@othiym23)Kat: Hooray! Full team again, and we've got a pretty small patch release this week, about everyone's favorite recurring issue: git URLs!
Rebecca: No Way! Again?
Kat: The ride never ends! In the meantime, there's some fun, exciting work in the background to get orgs and teams out the door. Keep an eye out for news. :)
Rebecca: And make sure to keep an eye out for patches for the super-fresh
npm@3!
Rebecca: So what's this about another git URL issue?
Kat: Welp, I apparently broke backwards-compatibility on what are actually
invalid git+https URLs! So I'm making it work, but we're gonna deprecate URLs
that look like git+https://user@host:path/is/here.
Rebecca: What should we use instead?!
Kat: Just do me a solid and use git+ssh://user@host:path/here or
git+https://user@host/absolute/https/path instead!
769f06e
Updated tests for getResolved so the URLs are run through
normalize-git-url.
(@zkat)edbae68
#8881 Added tests to verify that git+https: URLs are handled compatibly.
(@zkat)bad4e014
#8924 Make sure documented default
values in lib/cache.js properly correspond to current code.
(@watilde)e7a11fd
#8036 Clarify the documentation for
.npmrc to clarify that it's not read at the project level when doing global
installs.
(@espadrine)Kat: That's it for npm core changes!
Rebecca: Great! Let's look at the fresh new dependencies, then!
Kat: See you all next week!
Both: Stay Freeesh~
(some cat form of Forrest can be seen snoring in the corner)
bfa1f45
normalize-git-url@3.0.1: Fixes url normalization such that git+https:
accepts scp syntax, but get converted into absolute-path https: URLs. Also
fixes scp syntax so you can have absolute paths after the :
(git@myhost.org:/some/absolute/place.git)
(@zkat)6f757d2
glob@5.0.15: Better handling of ENOTSUP
(@isaacs)0920819
node-gyp@2.0.2: Fixes an issue with long paths on Win32
(@TooTallNate)But Forrest's still kinda on vacation, and not just mentally, because he's hanging out with the fine meatbags at CascadiaFest. Enjoy this small bug release.
40981f2
#8862 Make the lifecycle's safety
check work with scoped packages. (@tcort)5125856
#8855 Make dependency versions of
"*" match "latest" when all versions are prerelease.
(@iarna)22fdc1d
Visually emphasize the correct way to write lifecycle scripts.
(@josh-egan)413c3ac
Use npm's 2.x branch for testing its 2.x branch.
(@iarna)7602f64
Don't prompt for GnuPG passphrase in version lifecycle tests.
(@othiym23)npm outdated HAPPYd338668
#8796 fstream-npm@1.0.4: When packing the
package tarball, npm no longer crashes for packages with certain combinations of
.npmignore entries, .gitignore entries, and lifecycle scripts.
(@iarna)dbe7c9c
nock@2.7.0: Add matching based on query strings.
(@othiym23)There are new versions of strip-ansi and ansi-regex, but npm only uses them
indirectly, so we pushed them down into their dependencies where they can get
updated at their own pace.
Well, not everything. Just a couple of goodies, like the new npm ping
command, and the ability to add files to the commits created by npm version
with the new version hooks. There's also a couple of bugfixes in npm itself
and some of its dependencies. Here we go!
Yes, that's right! We now have a dedicated npm ping command. It's super simple
and super easy. You ping. We tell you whether you pinged right by saying hello
right back. This should help out folks dealing with things like proxy issues or
other registry-access debugging issues. Give it a shot!
This addresses #5750, and will help
with the npm doctor stuff described in
#6756.
f1f7a85
Add ping command to CLI
(@michaelnisi)8cec629
Add ping command to npm-registry-client
(@michaelnisi)0c0c92d
Fixed ping command issues (added docs, tests, fixed minor bugs, etc)
(@zkat)version SINCE LIKE LITERALLY FOREVER AND A DAYSeriously! This patch lets you add files to the version commit before it's
made, So you can add additional metadata files, more automated changes to
package.json, or even generate CHANGELOG.md automatically pre-commit if
you're into that sort of thing. I'm so happy this is there I can't even. Do you
have other fun usecases for this? Tell
npmbot (@npmjs) about it!
582f170
#8620 version: Allow scripts to add
files to the commit.
(@jamestalmage)We've had problems in the past with things like EMFILE errors popping up when
trying to install packages with a bunch of dependencies. Isaac patched up
graceful-fs to handle this case
better, so we should be seeing fewer of those.
022691a
graceful-fs@4.1.2: Updated so we can monkey patch globally.
(@isaacs)c9fb0fd
Globally monkey-patch graceful-fs. This should fix some errors when installing
packages with lots of dependencies.
(@isaacs)5587d0d
Nice clarification for directories.bin
(@ujane)20673c7
Hey, Windows folks! Check out
nvm-windows
(@ArtskydJ)5afa2d5
validate-npm-package-name@2.2.2: Documented package name rules in README
(@zeusdeux)021f4d9
rimraf@2.4.1: #74 Use async
function for bin (to better handle Window's EBUSY)
(@isaacs)5223432
osenv@0.1.3: Use os.homedir() polyfill for more reliable output. io.js
added the function and the polyfill does a better job than the prior solution.
(@sindresorhus)8ebbc90
npm-cache-filename@1.0.2: Make sure different git references get different
cache folders. This should prevent foo/bar#v1.0 and foo/bar#master from
sharing the same cache folder.
(@tomekwi)367b854
lru-cache@2.6.5: Minor test/typo changes
(@isaacs)9fcae61
glob@5.0.13: Tiny doc change + stop firing 'match' events for ignored items.
(@isaacs)7827249
PeerDependencies errors now include the package version.
(@NickHeiner)I keep hearing some commotion. Is there something going on? Like, a party or something? Anyway, here's a small release with at least two significant bug fixes, at least one of which some of you have been waiting for for quite a while.
npm@2.12.0 has a change that introduces a fix for a permissions problem
whereby the _locks directory in the cache directory can up being owned by
root. The fix in 2.12.0 takes care of that problem, but introduces a new
problem for Windows users where npm tries to call process.getuid(), which
doesn't exist on Windows. It was easy enough to fix (but more or less
impossible to test, thanks to all the external dependencies involved with
permissions and platforms and whatnot), but as a result, Windows users might
want to skip npm@2.12.0 and go straight to npm@2.12.1. Sorry about that!
7e5da23
When using the new, "fixed" cache directory creator, be extra-careful to not
call process.getuid() on platforms that lack it.
(@othiym23)New npm CLI team hero @zkat has finally (FINALLY)
fixed the regression somebody (hi!) introduced a couple months ago whereby git
URLs of the format git+ssh://user@githost.com:org/repo.git suddenly stopped
working, and also started being saved (and cached) incorrectly. I am 100% sure
there are absolutely no more bugs in the git caching code at all ever. Mm hm.
Yep. Pretty sure. Maybe. Hmm... I hope.
Sighs audibly.
Let us know if we broke something else with this fix.
94ca4a7
#8031 Even though
git+ssh://user@githost.com:org/repo.git isn't a URL, treat it like one for
the purposes of npm. (@zkat)e7f56e5
#8031 normalize-git-url@2.0.0:
Handle git URLs (and URL-like remote refs) in a manner consistent with npm's
docs. (@zkat)679bf47
#40 read-installed@4.0.1:
Handle prerelease versions in top-level dependencies not in package.json
without marking those packages as invalid.
(@benjamn)3a67410
tap@1.3.1 (@isaacs)151904a
nopt@3.0.3 (@isaacs)About a million people have filed issues related to having a tough time using npm after they've run npm once or twice with sudo. "Don't worry about it!" I said. "We've fixed all those permissions problems ages ago! Use this one weird trick and you'll never have to deal with this again!"
Well, uh, if you run npm with root the first time you run npm on a machine, it
turns out that the directory npm uses to store lockfiles ends up being owned by
the wrong user (almost always root), and that can, well, it can cause problems
sometimes. By which I mean every time you run npm without being root it'll barf
with EACCES errors. Whoops!
This is an obnoxious regression, and to prevent it from recurring, we've made
it so that the cache, cached git remotes, and the lockfile directories are all
created and maintained using the same utilty module, which not only creates the
relevant paths with the correct permissions, but will fix the permissions on
those directories (if it can) when it notices that they're broken. An npm
install run as root ought to be sufficient to fix things up (and if that
doesn't work, first tell us about it, and then run sudo chown -R $(whoami)
$HOME/.npm)
Also, I apologize for inadvertently gaslighting any of you by claiming this bug wasn't actually a bug. I do think we've got this permanently dealt with now, but I'll be paying extra-close attention to permissions issues related to the cache for a while.
That's not literally true. We spent very little time discussing SPDX, @kemitchell is a champ, and I had a lot of fun playing drum & bass to a mostly empty Boogie Barn and only ended up with one moderately severe cold for my pains. Another winner of a NodeConf! (I would probably wear a SPDX T-shirt if somebody gave me one, though.)
A bunch of us did have a spirited discussion of the basics of open-source
intellectual property, and the convergence of me,
@kemitchell, and
@jandrieu in one place allowed us to hammmer out
a small but significant issue that had been bedeviling early adopters of the
new SPDX expression syntax in package.json license fields: how to deal with
packages that are left without a license on purpose.
Refer to the docs
for the specifics, but the short version is that instead of using
LicenseRef-LICENSE for proprietary licenses, you can now use either
UNLICENSED if you want to make it clear that you don't want your software
to be licensed (and want npm to stop warning you about this), or SEE LICENSE
IN <filename> if there's a license with custom text you want to use. At some
point in the near term, we'll be updating npm to verify that the mentioned
file actually exists, but for now you're all on the honor system.
4827fc7
#8557
normalize-package-data@2.2.1: Allow UNLICENSED and SEE LICENSE IN
<filename> in "license" field of package.json.
(@kemitchell)16a3dd5
#8557 Document the new accepted
values for the "license" field.
(@kemitchell)8155311
#8557 init-package-json@1.7.0:
Support new "license" field values at init time.
(@kemitchell)9d8cac9
#8548 Remove extraneous newline
from npm view output, making it easier to use in shell scripts.
(@eush77)765fd4b
#8521 When checking for outdated
packages, or updating packages, raise an error when the registry is
unreachable instead of silently "succeeding".
(@ryantemple)5018335
#8365 Add details about which git
environment variables are whitelisted by npm.
(@nmalaguti)bed9edd
#8554 Fix typo in version docs.
(@rainyday)7ce2f06
request@2.58.0: Refactor tunneling logic, and use extend instead of
abusing util._extend. (@simov)e6c6195
nock@2.6.0: Refined interception behavior.
(@pgte)9583cc3
fstream-npm@1.0.3: Ensure that main entry in package.json is always
included in the bundled package tarball.
(@coderhaoxin)df89493
fstream@1.0.7 (@isaacs)9744049
dezalgo@1.0.3: dezalgo should be usable in the browser, and can be now
that asap has been upgraded to be browserifiable.
(@mvayngrib)This was a very quiet week. This release was done by @iarna, while the rest of the team hangs out at NodeConf Adventure!
9f439da
spdx@0.4.1: License range updates
(@kemitchell)2dd055b
normalize-package-data@2.2.1: Fixes a crashing bug when the package.json
scripts property is not an object.
(@iarna)e02e85d
osenv@0.1.2: Switches to using the os-tmpdir module instead of
os.tmpdir() for greater consistency in behavior between node versions.
(@iarna)a6f0265
ini@1.3.4 (@isaacs)7395977
rimraf@2.4.0 (@isaacs)Another small release this week, brought to you by the latest addition to the CLI team, @zkat (Hi, all!)
Mostly small documentation tweaks and version updates. Oh! And npm outdated
is actually sorted now. Rejoice!
It's gonna be a while before we get another palindromic version number. Enjoy it while it lasts. :3
31aada4
#8401 npm outdated output is just
that much nicer to consume now, due to sorting by name.
(@watilde)458a919
#8469 Explicitly set cwd for
preversion, version, and postversion scripts. This makes the scripts
findable relative to the root dir.
(@alexkwolfe)55d6d71
Ensure package name and version are included in display during npm version
lifecycle execution. Gets rid of those little undefineds in the console.
(@othiym23)3901e49
#8462 English apparently requires
correspondence between indefinite articles and attached nouns.
(@Enet4)5a744e4
#8421 The effect of npm prune's
--production flag and how to use it have been documented a bit better.
(@foiseworth)eada625
We've updated our .mailmap and AUTHORS files to make sure credit is given
where credit is due. (@othiym23)c929fd1
readable-stream@1.1.13: Manually deduped v1.1.13 (streams3) to make
deduping more reliable on npm@<3. (@othiym23)a9b4b78
request@2.57.0: Replace dependency on IncomingMessage's .client with
.socket as the former was deprecated in io.js 2.2.0.
(@othiym23)4b5e557
abbrev@1.0.7: Better testing, with coverage.
(@othiym23)561affe
semver@4.3.6: .npmignore added for less cruft, and better testing, with coverage.
(@othiym23)60aef3c
graceful-fs@3.0.8: io.js fixes.
(@zkat)f8bd453
config-chain@1.1.9: Added MIT license to package.json
(@zkat)This release brought to you from poolside at the Omni Amelia Island Resort and JSConf 2015, which is why it's so tiny.
cf109a6
#8381 Documented a subtle gotcha
with .npmrc, which is that it needs to have its permissions set such that
only the owner can read or write the file.
(@colakong)180da67
#8365 Git 2.3 adds support for
GIT_SSH_COMMAND, which allows you to pass an explicit git command (with,
for example, a specific identity passed in on the command line).
(@nmalaguti)b72de41
node-gyp@2.0.0: Use a newer version of gyp, and generally improve support
for Visual Studios and Windows.
(@TooTallNate)8edbe21
node-gyp@2.0.1: Don't crash when Python's version doesn't parse as valid
semver. (@TooTallNate)ba0e0a8
glob@5.0.10: Add coverage to tests. (@isaacs)7333701
request@2.56.0: Bug fixes and dependency upgrades.
(@simov)For the first time in a very long time, we've added new events to the life
cycle used by npm run-script. Since running npm version (major|minor|patch)
is typically the last thing many developers do before publishing their updated
packages, it makes sense to add life cycle hooks to run tests or otherwise
preflight the package before doing a full publish. Thanks, as always, to the
indefatigable @watilde for yet another great
usability improvement for npm!
b07f7c7
#7906
Add new scripts to
allow you to run scripts before and after
the npm version
command has run. This makes it easy to, for instance, require that your
test suite passes before bumping the version by just adding "preversion":
"npm test" to the scripts section of your package.json.
(@watilde)8a46136
#8185
When we get a "not found" error from the registry, we'll now check to see
if the package name you specified is invalid and if so, give you a better
error message. (@thefourtheye)9bcf573
#8324 On Windows, when you've configured a
custom node-gyp, run it with node itself instead of using the default open action (which
is almost never what you want). (@bangbang93)1da9b04
#7195
#7260 npm-registry-client@6.4.0:
(Re-)allow publication of existing mixed-case packages (part 1).
(@smikes)e926783
#7195
#7260
normalize-package-data@2.2.0: (Re-)allow publication of existing mixed-case
packages (part 2). (@smikes)f62ee05
#8314 Update the README to warn
folks away from using the CLI's internal API. For the love of glob, just use a
child process to run the CLI! (@claycarpenter)1093921
#8279
Update the documentation to note that, yes, you can publish scoped packages to the
public registry now! (@mantoni)f87cde5
#8292
Fix typo in an example and grammar in the description in
the shrinkwrap documentation.
(@vshih)d3526ce
Improve the formatting in
the shrinkwrap documentation.
(@othiym23)19fe6d2
#8311
Update README.md to use syntax highlighting in
its code samples and bits of shell scripts. (@SimenB)fc52160
#4700 #5044
init-package-json@1.6.0: Make entering an invalid version while running npm init give
you an immediate error and prompt you to correct it. (@watilde)738853e
#7763 fs-write-stream-atomic@1.0.3: Fix a bug
where errors would not propagate, making error messages unhelpful.
(@iarna)6d74a2d
npm-package-arg@4.0.1: Fix tests on windows (@Bacra) and with
more recent hosted-git-info. (@iarna)50f7178
hosted-git-info@2.1.4: Correct spelling in its documentation.
(@iarna)d7956ca
glob@5.0.7: Fix a bug where unusual error conditions could make
further use of the module fail. (@isaacs)44f7d74
tap@1.1.0: Update to the most recent tap to get a whole host of bug
fixes and integration with coveralls.
(@isaacs)c21e8a8
nock@2.2.0 (@othiym23)dc77520
When getting back a 404 from a request to a private registry that uses a
registry path that extends past the root
(http://registry.enterprise.co/path/to/registry), display the name of the
nonexistent package, rather than the first element in the registry API path.
Sorry, Artifactory users! (@hayes)f70dea9
Make clearer that --registry can be used on a per-publish basis to push a
package to a non-default registry. (@mischkl)a3e26f5
Did you know that GitHub shortcuts can have commit-ishes included
(org/repo#branch)? They can! (@iarna)0e2c091
Some errors from readPackage were being swallowed, potentially leading to
invalid package trees on disk. (@smikes)0b901ad
lru-cache@2.6.3: Removed some cruft from the published package.
(@isaacs)d713e0b
mkdirp@0.5.1: Made compliant with standard, dropped support for Node 0.6,
added (Travis) support for Node 0.12 and io.js.
(@isaacs)a2d6578
glob@1.0.3: Updated to use tap@1. (@isaacs)64cd1a5
fstream@ 1.0.6: Made compliant with standard
(done by @othiym23, and then debugged and
fixed by @iarna), and license changed to ISC.
(@othiym23 /
@iarna)b527a7c
which@1.1.1: Callers can pass in their own PATH instead of relying on
process.env. (@isaacs)If you've done much development in The Enterprise®™, you know that keeping track of software licenses is far more important than one might expect / hope / fear. Tracking licenses is a hassle, and while many (if not most) of us have (reluctantly) gotten around to setting a license to use by default with all our new projects (even if it's just WTFPL), that's about as far as most of us think about it. In big enterprise shops, ensuring that projects don't inadvertently use software with unacceptably encumbered licenses is serious business, and developers spend a surprising (and appalling) amount of time ensuring that licensing is covered by writing automated checkers and other license auditing tools.
The Linux Foundation has been working on a machine-parseable syntax for license
expressions in the form of SPDX, an appropriately
enterprisey acronym. IP attorney and JavaScript culture hero Kyle
Mitchell has put a considerable amount of effort into
bringing SPDX to JavaScript and Node. He's written
spdx.js, a JavaScript SPDX
expression parser, and has integrated it into npm in a few different ways.
For you as a user of npm, this means:
package.json, due to
SPDX's compound expression syntax. Run npm help package.json for details.package.json for your project is either missing a
"license" field, or if the value of that field isn't a valid SPDX
expression (pro tip: "BSD" becomes "BSD-2-Clause" in SPDX (unless you
really want one of its variants); "MIT" and "ISC" are fine as-is; the
full list
is its own package).npm init now demands that you use a valid SPDX expression when using it
interactively (pro tip: I mostly use npm init -y, having previously run
npm config set init.license=MIT / npm config set init.author.email=foo /
npm config set init.author.name=me).package.json has been updated to tell you how to use
the "license" field properly with SPDX.In general, this shouldn't be a big deal for anybody other than people trying to run their own automated license validators, but in the long run, if everybody switches to this format, many people's lives will be made much simpler. I think this is an important improvement for npm and am very thankful to Kyle for taking the lead on this. Also, even if you think all of this is completely stupid, just choose a license anyway. Future you will thank past you someday, unless you are djb, in which case you are djb, and more power to you.
8669f7d
#8179 Document how to use SPDX in
license stanzas in package.json, including how to migrate from old busted
license declaration arrays to fancy new compound-license clauses.
(@kemitchell)98ad98c
#8197 init-package-json@1.5.0
Ensure that packages bootstrapped with npm init use an SPDX-compliant
license expression. (@kemitchell)2ad3905
#8197
normalize-package-data@2.1.0: Warn when a package is missing a license
declaration, or using a license expression that isn't valid SPDX.
(@kemitchell)127bb73
#8197 tar@2.1.1: Switch from
BSD to ISC for license, where the latter is valid SPDX.
(@othiym23)e9a933a
#8197 once@1.3.2: Switch from
BSD to ISC for license, where the latter is valid SPDX.
(@othiym23)412401f
#8197 semver@4.3.4: Switch from
BSD to ISC for license, where the latter is valid SPDX.
(@othiym23)As a corollary to the previous changes, I've put some work into making npm
install spew out fewer pointless warnings about missing values in transitive
dependencies. From now on, npm will only warn you about missing READMEs,
license fields, and the like for top-level projects (including packages you
directly install into your application, but we may relax that eventually).
Practically nobody liked having those warnings displayed for child dependencies, for the simple reason that there was very little that anybody could do about those warnings, unless they happened to be the maintainers of those dependencies themselves. Since many, many projects don't have SPDX-compliant licenses, the number of warnings reached a level where they ran the risk of turning into a block of visual noise that developers (read: me, and probably you) would ignore forever.
So I fixed it. If you still want to see the messages about child dependencies,
they're still there, but have been pushed down a logging level to info. You
can display them by running npm install -d or npm install --loglevel=info.
eb18245
Only warn on normalization errors for top-level dependencies. Transitive
dependency validation warnings are logged at info level.
(@othiym23)e40e809
tap@1.0.1: TAP: The Next Generation. Fix up many tests to they work
properly with the new major version of node-tap. Look at all the colors!
(@isaacs)f9314e9
nock@1.9.0: Minor tweaks and bug fixes. (@pgte)45c2b1a
#8187 npm ls wasn't properly
recognizing dependencies installed from GitHub repositories as git
dependencies, and so wasn't displaying them as such.
(@zornme)1ab57c3
In some cases, npm help was using something that looked like a regular
expression where a glob pattern should be used, and vice versa.
(@isaacs)The first item below is actually a pretty big deal, as it fixes (with a
one-word change and a much, much longer test case (thanks again,
@iarna)) a regression that's been around for months
now. If you're depending on multiple branches of a single git dependency in a
single project, you probably want to check out npm@2.9.1 and verify that
things (again?) work correctly in your project.
178a6ad
#7202 When caching git
dependencies, do so by the whole URL, including the branch name, so that if a
single application depends on multiple branches from the same repository (in
practice, multiple version tags), every install is of the correct version,
instead of reusing whichever branch the caching process happened to check out
first.  (@iarna)63b79cc
#8084 Ensure that Bitbucket,
GitHub, and Gitlab dependencies are installed the same way as non-hosted git
dependencies, fixing npm install --link.
(@laiso)These changes may seem simple and small (except Lin's fix to the package name restrictions, which was more an egregious oversight on our part), but cleaner documentation makes npm significantly more pleasant to use. I really appreciate all the typo fixes, clarifications, and formatting tweaks people send us, and am delighted that we get so many of these pull requests. Thanks, everybody!
ca478dc
#8137 Somehow, we had failed to
clearly document the full restrictions on package names.
@linclark has now fixed that, although we will
take with us to our graves the reasons why the maximum package name length is 214
characters (well, OK, it was that that was the longest name in the registry
when we decided to put a cap on the name length).
(@linclark)b574076
#8079 Make the npm shrinkwrap
documentation use code formatting for examples consistently. It would be
great to do this for more commands HINT HINT.
(@RichardLitt)1ff636e
#8105 Document that the global
npmrc goes in $PREFIX/etc/npmrc, instead of $PREFIX/npmrc.
(@anttti)c3f2f7c
#8127 Document how to use npm run
build directly (hint: it's different from npm build!).
(@mikemaccana)873e467
#8069 Take the old, dead npm
mailing list address out of package.json. It seems that people don't have
much trouble figuring out how to report errors to npm.
(@robertkowalski)5abfc9c
#7973 npm run-script completion
will only suggest run scripts, instead of including dependencies. If for some
reason you still wanted it to suggest dependencies, let us know.
(@mantoni)4b564f0
#8081 Use osenv to parse the
environment's PATH in a platform-neutral way.
(@watilde)a4b6238
#8094 When we refactored the
configuration code to split out checking for IPv4 local addresses, we
inadvertently completely broke it by failing to return the values. In
addition, just the call to os.getInterfaces() could throw on systems where
querying the network configuration requires elevated privileges (e.g. Amazon
Lambda). Add the return, and trap errors so they don't cause npm to explode.
Thanks to @mhart for bringing this to our
attention! (@othiym23)000cd8b
rimraf@2.3.3: More informative assertions on argument validation failure.
(@isaacs)530a2e3
lru-cache@2.6.2: Revert to old key access-time behavior, as it was correct
all along. (@isaacs)d88958c
minimatch@2.0.7: Feature detection and test improvements.
(@isaacs)3fa39e4
nock@1.7.1 (@pgte)This week was kind of a breather to concentrate on fixing up the tests on the
multi-stage branch, and not mess with git issues for a little while.
Unfortunately, There are now enough severe git issues that we'll probably have
to spend another couple weeks tackling them. In the meantime, enjoy these two
small features. They're just enough to qualify for a semver-minor bump:
2799322
#7426 Include local modules in npm
outdated and npm update.  (@ArnaudRinquin)2114862
#8014 The prefix used before the
version on version tags is now configurable via tag-version-prefix. Be
careful with this one and read the docs before using it.
(@kkragenbrink)18ce0ec
#3032 npm unpublish will now use
the registry set in package.json, just like npm publish. This only
applies, for now, when unpublishing the entire package, as unpublishing a
single version requires the name be included on the command line and
therefore doesn't read from package.json. (@watilde)9ad2100
#8008 Once again, when considering
what to install on npm install, include devDependencies.
(@smikes)5466260
#8003 Clarify the documentation
around scopes to make it easier to understand how they support private
packages. (@smikes)faf65a7
init-package-json@1.4.2: If there are multiple validation errors and
warnings, ensure they all get displayed (includes a rad new way of testing
init-package-json contributed by
@michaelnisi).
(@MisumiRize)7f10f38
editor@1.0.0: 1.0.0 is literally more than 0.1.0 (no change aside from
version number). (@substack)4979af3
#6805 npm-registry-client@6.3.3:
Decode scoped package names sent by the registry so they look nicer.
(@mmalecki)This is the fourth release of npm this week, so it's mostly just landing a few
small outstanding PRs on dependencies and some tiny documentation tweaks.
npm@2.8.3 is where the real action is.
ee2bd77
#7983 tar@2.1.0: Better error
reporting in corrupted tar files, and add support for the fromBase flag
(rescued from the dustbin of history by
@deanmarano).
(@othiym23)d8eee6c
init-package-json@1.4.1: Add support for a default author, and only add
scope to a package name once. (@othiym23)4fc5d98
lru-cache@2.6.1: Small tweaks to cache value aging and entry counting that
are irrelevant to npm. (@isaacs)1fe5840
#7946 Make npm init text
friendlier. (@sandfox)This is the last of a set of releases intended to ensure npm's git support is robust enough that we can stop working on it for a while. These fixes are small, but prevent a common crasher and clear up one of the more confusing error messages coming out of npm when working with repositories hosted on git.
387f889
#7961 Ensure that hosted git SSH
URLs always have a valid protocol when stored in resolved fields in
npm-shrinkwrap.json. (@othiym23)394c2f5
Switch the order in which hosted Git providers are checked to git:,
git+https:, then git+ssh: (from git:, git+ssh:, then git+https:) in
an effort to go from most to least likely to succeed, to make for less
confusing error message. (@othiym23)npm has been having an issue with CouchDB's web server since the release
of io.js and Node.js 0.12.0 that has consumed a huge amount of my time
to little visible effect. Sam Mikes picked up the thread from me, and
after a lot of effort
figured out that ultimately there are probably a couple problems with
the new HTTP Agent keep-alive handling in new versions of Node. In
addition, npm-registry-client was gratuitously sending a body along
with a GET request which was triggering the bugs. Sam removed about 10 bytes from
one file in npm-registry-client, and this problem, which has been bugging us for months,
completely went away.
In conclusion, Sam Mikes is great, and anybody using a private registry hosted on CouchDB should thank him for his hard work. Also, thanks to the community at large for pitching in on this bug, which has been around for months now.
431c3bf
#7699 npm-registry-client@6.3.2:
Don't send body with HTTP GET requests when logging in.
(@smikes)A helpful bug report
led to another round of changes to
hosted-git-info,
some additional test-writing, and a bunch of hands-on testing against actual
private repositories. While the complexity of npm's git dependency handling is
nearly fractal (because npm is very complex, and git is even more complex),
it's feeling way more solid than it has for a while. We think this is a
substantial improvement over what we had before, so give npm@2.8.1 a shot if
you have particularly complex git use cases and
let us know how it goes.
(NOTE: These changes mostly affect cloning and saving references to packages hosted in git repositories, and don't address some known issues with things like lifecycle scripts not being run on npm dependencies. Work continues on other issues that affect parity between git and npm registry packages.)
66377c6
#7872 hosted-git-info@2.1.2: Pass
through credentials embedded in SSH and HTTPs git URLs.
(@othiym23)15efe12
#7872 Use the new version of
hosted-git-info to pass along credentials embedded in git URLs. Test it.
Test it a lot. (@othiym23)Big thanks to @ewie for identifying an issue with
how npm was handling peerDependencies that were implicitly installed from the
package.json files of scoped dependencies. This
will be a moot point
with the release of npm@3, but until then, it's important that
peerDependency auto-installation work as expected.
b027319
#7920 Scoped packages with
peerDependencies were installing the peerDependencies into the wrong
directory. (@ewie)649e31a
#7920 Test peerDependency
installs involving scoped packages using npm-package-arg instead of simple
path tests, for consistency. (@othiym23)@iarna and I
(@othiym23) have been discussing a
candidate plan
for improving npm's test suite, with the goal of making it easier for new
contributors to get involved with npm by reducing the learning curve
necessary to be able to write good tests for proposed changes. This is the
first substantial piece of that effort. Here's what the commit message for
ed7e249
had to say about this work:
It's too difficult for npm contributors to figure out what the conventional style is for tests. Part of the problem is that the documentation in CONTRIBUTING.md is inadequate, but another important factor is that the tests themselves are written in a variety of styles. One of the most notable examples of this is the fact that many tests use fixture directories to store precooked test scenarios and package.json files.
This had some negative consequences:
- tests weren't idempotent
- subtle dependencies between tests existed
- new tests get written in this deprecated style because it's not obvious that the style is out of favor
- it's hard to figure out why a lot of those directories existed, because they served a variety of purposes, so it was difficult to tell when it was safe to remove them
All in all, the fixture directories were a major source of technical debt, and cleaning them up, while time-consuming, makes the whole test suite much more approachable, and makes it more likely that new tests written by outside contributors will follow a conventional style. To support that, all of the tests touched by this changed were cleaned up to pass the
standardstyle checker.
And here's a little extra context from a comment I left on #7929:
One of the other things that encouraged me was looking at this presentation on technical debt from Pycon 2015, especially slide 53, which I interpreted in terms of difficulty getting new contributors to submit patches to an OSS project like npm. npm has a long ways to go, but I feel good about this change.
ed7e249
#7929 Eliminate fixture directories
from test/tap, leaving each test self-contained.
(@othiym23)4928d30
#7929 Move fixture files from
test/tap/* to test/fixtures. (@othiym23)e925deb
#7929 Tweak the run scripts to stop
slaughtering the CPU on doc rebuild.
(@othiym23)65bf7cf
#7923 Use an alias of scripts and
run-scripts in npm run test-all (@watilde)756a3fb
#7923 Sync timeout time of npm
run-script test-all to be the same as test and tap scripts.
(@watilde)8299b5f
Set a timeout for tap tests for npm run-script test-all.
(@othiym23)d90d0b9
#7924 Remove child-process-close,
as it was included for Node 0.6 compatibility, and npm no longer supports
0.6. (@robertkowalski)16427c1
lru-cache@2.5.2: More accurate updating of expiry times when maxAge is
set. (@isaacs)03cce83
nock@1.6.0: Mocked network error handling.
(@pgte)f93b1f0
glob@5.0.5: Use path-is-absolute polyfill, allowing newer Node.js and
io.js versions to use path.isAbsolute().
(@sindresorhus)a70d694
request@2.55.0: Bug fixes and simplification.
(@simov)2aecc6f
columnify@1.5.1: Switch to using babel from 6to5.
(@timoxley)If you look at the last release's release
notes,
you will note that they confidently assert that it's perfectly OK to force all
GitHub URLs through the same git: -> git+ssh: fallback flow for cloning. It
turns out that many users depend on git+https: URLs in their build
environments because they use GitHub auth tokens instead of SSH keys. Also, in
some cases you just want to be able to explicitly say how a given dependency
should be cloned from GitHub.
Because of the way we resolved the inconsistency in GitHub shorthand handling
before, this
turned out to be difficult to work around. So instead of hacking around it, we
completely redid how git is handled within npm and its attendant packages.
Again. This time, we changed things so that normalize-package-data and
read-package-json leave more of the git logic to npm itself, which makes
handling shorthand syntax consistently much easier, and also allows users to
resume using explicit, fully-qualified git URLs without npm messing with them.
Here's a summary of what's changed:
git+ssh:, git:, or
git+https: URL and saving that, save the shorthand itself to
package.json.GIT_ASKPASS in
their environment if they want to experiment with interactive cloning, but
should also set --no-spin on the npm command line (or run npm config set
spin=false).github:, gist:, bitbucket:,
and gitlab: shorthand prefixes. GitHub shortcuts will continue to be
normalized to org/repo instead of being saved as github:org/repo, but
gitlab:, gist:, and bitbucket: prefixes will be used on the command
line and from package.json. BE CAREFUL WITH THIS. package.json files
published with the new shorthand syntax can only be read by npm@2.8.0 and
later, and this feature is mostly meant for playing around with it. If you
want to save git dependencies in a form that older versions of npm can read,
use --save-exact, which will save the git URL and resolved commit hash of
the head of the branch in a manner similar to the way that --save-exact
pins versions for registry dependencies.  This is documented (so check npm
help install for details), but we're not going to make a lot of noise about
it until it has a chance to bake in a little more.It is @othiym23's sincere hope that this will resolve all of the inconsistencies users were seeing with GitHub and git-hosted packages, but given the level of change here, that may just be a fond wish. Extra testing of this change is requested.
6b0f588
#7867 Use git shorthand and git
URLs as presented by user. Support new hosted-git-info shortcut syntax.
Save shorthand in package.json. Try cloning via git:, git+ssh:, and
git+https:, in that order, when supported by the underlying hosting
provider. (@othiym23)75d4267
#7867 Document new GitHub, GitHub
gist, Bitbucket, and GitLab shorthand syntax.
(@othiym23)7d92c75
#7867 When --save-exact is used
with git shorthand or URLs, save the fully-resolved URL, with branch name
resolved to the exact hash for the commit checked out.
(@othiym23)9220e59
#7867 Ensure that non-prefixed and
non-normalized GitHub shortcuts are saved to package.json.
(@othiym23)dd398e9
#7867 hosted-git-info@2.1.1:
Ensure that gist: shorthand survives being round-tripped through
package.json. (@othiym23)33d1420
#7867 hosted-git-info@2.1.0: Add
support for auth embedded directly in git URLs.
(@othiym23)23a1d5a
#7867 hosted-git-info@2.0.2: Make
it possible to determine in which form a hosted git URL was passed.
(@iarna)eaf75ac
#7867
normalize-package-data@2.0.0: Normalize GitHub specifiers so they pass
through shortcut syntax and preserve explicit URLs.
(@iarna)95e0535
#7867 npm-package-arg@4.0.0: Add
git URL and shortcut to hosted git spec and use hosted-git-info@2.0.2.
(@iarna)a808926
#7867
realize-package-specifier@3.0.0: Use npm-package-arg@4.0.0 and test
shortcut specifier behavior. (@iarna)6dd1e03
#7867 init-package-json@1.4.0:
Allow dependency on read-package-json@2.0.0.
(@iarna)63254bb
#7867 read-installed@4.0.0: Use
read-package-json@2.0.0. (@iarna)254b887
#7867 read-package-json@2.0.0:
Use normalize-package-data@2.0.0. (@iarna)0b9f8be
#7867 npm-registry-client@6.3.0:
Mark compatibility with normalize-package-data@2.0.0 and
npm-package-arg@4.0.0. (@iarna)f40ecaa
#7867 Extract a common method to
use when cloning git repos for testing.
(@othiym23)npm continues to get closer to being completely green on Travis for Node 0.8.
26d36e9
#7842 When spawning child
processes, map exit code 127 to ENOENT so Node 0.8 handles child process
failures the same as later versions.
(@SonicHedgehog)54cd895
#7842 Node 0.8 requires -e with -p
when evaluating snippets; fix test.
(@SonicHedgehog)20e9003
tar@2.0.1: Fix regression where relative symbolic links within an
extraction root that pointed within an extraction root would get normalized
to absolute symbolic links. (@isaacs)2ef8898
#7879 Better document that npm
publish --tag=foo will not set latest to that version.
(@linclark)Part of the reason that we're reluctant to take patches to how npm deals with
git dependencies is that every time we touch the git support, something breaks.
The last few releases are a case in point. npm@2.7.4 completely broke
installing private modules from GitHub, and npm@2.7.5 fixed them at the cost
of logging a misleading error message that caused many people to believe that
their dependencies hadn't been successfully installed when they actually had
been.
This all started from a desire to ensure that GitHub shortcut syntax is being
handled correctly.  The correct behavior is for npm to try to clone all
dependencies on GitHub (whether they're specified with the GitHub
organization/repository shortcut syntax or not) via the plain git: protocol
first, and to fall back to using git+ssh: if git: doesn't work. Previously,
sometimes npm would use git: and git+ssh: in some cases (most notably when
using GitHub shortcut syntax on the command line), and use git+https: in
others (when the GitHub shortcut syntax was present in package.json). This
led to subtle and hard-to-understand inconsistencies, and we're glad that as of
npm@2.7.6, we've finally gotten things to where they were before we started,
only slightly more consistent overall.
We are now going to go back to our policy of being extremely reluctant to touch the code that handles Git dependencies.
b747593
#7630 Don't automatically log all
git failures as errors. maybeGithub needs to be able to fail without
logging to support its fallback logic.
(@othiym23)cd67a0d
#7829 When fetching a git remote
URL, handle failures gracefully (without assuming standard output exists).
(@othiym23)637c7d1
#7829 When fetching a git remote
URL, handle failures gracefully (without assuming standard error exists).
(@othiym23)78005eb
#7743 Always quote arguments passed
to npm run-script. This allows build systems and the like to safely escape
glob patterns passed as arguments to run-scripts with npm run-script
<script> -- <arguments>. This is a tricky change to test, and may be
reverted or moved to npm@3 if it turns out it breaks things for users.
(@mantoni)da015ee
#7074 read-package-json@1.3.3:
read-package-json no longer caches package.json files, which trades a
very small performance loss for the elimination of a large class of really
annoying race conditions. See #7074
for the grisly details. (@othiym23)dd20f57
init-package-json@1.3.2: Only add the @ to scoped package names if it's
not already there when reading from the filesystem
(@watilde), and support inline validation of
package names (@michaelnisi).1f380f6
#7820 are-we-there-yet@1.0.4: Use
readable-stream instead of built-in stream module to better support
Node.js 0.8.x. (@SonicHedgehog)d380188
semver@4.3.3: Don't throw on semver.parse(null), and parse numeric
version strings more robustly. (@isaacs)01d9964
nock@1.4.0: This change may need to be rolled back, or rolled forward,
because nock depends on
setImmediate, which causes tests
to fail when run with Node.js 0.8. (@othiym23)91f5cb1
#7791 Fix brackets in npmconf so
that loaded is set correctly.
(@charmander)1349e27
#7818 Update README.md to point
out that the install script now lives on https://www.npmjs.com.
(@weisjohn)300834e
tar@2.0.0: Normalize symbolic links that point to targets outside the
extraction root. This prevents packages containing symbolic links from
overwriting targets outside the expected paths for a package. Thanks to Tim
Cuthbertson and the team at Lift
Security for working with the npm team to identify
this issue. (@othiym23)0dc6875
semver@4.3.2: Package versions can be no more than 256 characters long.
This prevents a situation in which parsing the version number can use
exponentially more time and memory to parse, leading to a potential denial of
service. Thanks to Adam Baldwin at Lift Security for bringing this to our
attention.  (@isaacs)5811468
#7713 Add a test for npm link and
npm link <package>. (@watilde)3cf3b0c
#7713 Only use absolute symbolic
links when npm linking. (@hokaccha)f35aa93
#7443 Keep relative URLs when
hitting search endpoint. (@othiym23)eab6184
#7766 One last tweak to ensure that
GitHub shortcuts work with private repositories.
(@iarna)5d7f704
#7656 Don't try to load a deleted
CA file, allowing the cafile config to be changed.
(@KenanY)a840a13
#7746 Only fix up URL paths when
there are paths to fix up. (@othiym23)94df809
request@2.54.0: Fixes for Node.js 0.12 and io.js.
(@simov)98a13ea
opener@1.4.1: Deal with start on Windows more conventionally.
(@domenic)c2417c7
require-inject@1.2.0: Add installGlobally to bypass cleanups.
(@iarna)f87c728
#7696 Months and minutes were
swapped in doc-build.sh (@MeddahJ)4e216b2
#7752 Update string examples to be
properly quoted. (@snuggs)402f52a
#7635 Clarify Windows installation
instructions. (@msikma)c910399
small typo fix to CHANGELOG.md (@e-jigsaw)fe1bc38
#7672 npm-registry-client@3.1.2:
Fix client-side certificate handling by correcting property name.
(@atamon)3ce3cc2
#7635 fstream-npm@1.0.2: Raise a
more descriptive error when bundledDependencies isn't an array.
(@KenanY)3a12723
#7661 Allow setting --registry on
the command line to trump the mapped registry for --scope.
(@othiym23)89ce829
#7630 hosted-git-info@1.5.3: Part
3 of ensuring that GitHub shorthand is handled consistently.
(@othiym23)63313eb
#7630
realize-package-specifier@2.2.0: Part 2 of ensuring that GitHub shorthand
is handled consistently. (@othiym23)3ed41bf
#7630 npm-package-arg@3.1.1: Part
1 of ensuring that GitHub shorthand is handled consistently.
(@othiym23)6a498c6
npm-registry-couchapp@2.6.7: Ensure that npm continues to work with new
registry architecture. (@bcoe)bd72c47
glob@5.0.3: Updated to latest version.
(@isaacs)4bfbaa2
npmlog@1.2.0: Getting up to date with latest version (but not using any of
the new features). (@othiym23)3703b0b
Add regression test for npm version to ensure message property in config
continues to be honored. (@dannyfritz)1549106
#7641 Due to 448efd0, running npm
shrinkwrap --dev caused production dependencies to no longer be included in
npm-shrinkwrap.json. Whoopsie! (@othiym23)fb0ac26
#7579 Only block removing files and
links when we're sure npm isn't responsible for them. This change is hard to
summarize, because if things are working correctly you should never see it,
but if you want more context, just go read the commit
message,
which lays it all out. (@othiym23)051c473
#7552 bundledDependencies are now
properly included in the installation context. This is another fantastically
hard-to-summarize bug, and once again, I encourage you to read the commit
message
if you're curious about the details. The snappy takeaway is that this
unbreaks many use cases for ember-cli. (@othiym23)fcd9247
#7597 Awk varies pretty
dramatically from platform to platform, so use Perl to generate the AUTHORS
list instead. (@KenanY)721b17a
#7598 npm install --save really
isn't experimental anymore. (@RichardLitt)a91f2c7
#7559 node-gyp@1.0.3 Switch
node-gyp to use stdio instead of customFds so it stops printing a
deprecation warning every time you build a native dependency.
(@jeffbski)0c85db7
rimraf@2.3.2: Globbing now deals with paths containing valid glob
metacharacters better. (@isaacs)d14588e
minimatch@2.0.4: Bug fixes. (@isaacs)aa9952e
graceful-fs@3.0.6: Bug fixes. (@isaacs)6823807
#7121 npm install --save for Git
dependencies saves the URL passed in, instead of the temporary directory used
to clone the remote repo. Fixes using Git dependencies when shrinkwrapping.
In the process, rewrote the Git dependency caching code. Again. No more
single-letter variable names, and a much clearer workflow.
(@othiym23)c8258f3
#7486 When installing Git remotes,
the caching code was passing in the function gitEnv instead of the results
of invoking it. (@functino)c618eed
#2556 Make it possible to install
Git dependencies when using --link by not linking just the Git
dependencies. (@smikes)abdd040
read-package-json@1.3.2: Provide more helpful error messages when JSON
parse errors are encountered by using a more forgiving JSON parser than
JSON.parse. (@smikes)c56cfcd
#7525 npm dedupe handles scoped
packages. (@KidkArolis)1b8ba74
#7531 npm stars and npm whoami
will no longer send the registry the error text saying you need to log in as
your username.  (@othiym23)6de1e91
#6441 Prevent needless reinstalls
by only updating packages when the current version isn't the same as the
version returned as wanted by npm outdated.
(@othiym23)2abc3ee
Add npm upgrade as an alias for npm update.
(@othiym23)bcd4722
#7508 FreeBSD uses EAI_FAIL
instead of ENOTFOUND. (@othiym23)21c1ac4
#7507 Update support URL in generic
error handler to https: from http:.
(@watilde)b6bd99a
#7492 On install, the
package.json engineStrict deprecation only warns for the current package.
(@othiym23)4ef1412
#7075 If you try to tag a release
as a valid semver range, npm publish and npm tag will error early instead
of proceeding. (@smikes)ad53d0f
Use rimraf in npm build script because Windows doesn't know what rm is.
(@othiym23)8885c4d
rimraf@2.3.1: Better Windows support.
(@isaacs)8885c4d
glob@4.4.2: Handle bad symlinks properly.
(@isaacs)###E TYPSO & CLARFIICATIONS
dId yuo know that submiting fxies for doc tpyos is an exclelent way to get strated contriburting to a new open-saurce porject?
42c605c
Fix typo in CHANGELOG.md (@adrianblynch)c9bd58d
Add note about node_modules/.bin being added to the path in npm
run-script. (@quarterto)903bdd1
Matt Ranney confused the world when he renamed node-redis to redis. "The
world" includes npm's documentation.
(@RichardLitt)dea9bb2
Fix typo in contributor link. (@watilde)1226ca9
Properly close code block in npm-install.md.
(@olizilla)For a very long time (maybe forever?), the documentation for npm run-script
has said that npm restart will only call npm stop and npm start when
there is no command defined as npm restart in package.json. The problem
with this documentation is that npm run-script was apparently never wired up
to actually work this way.
Until now.
If the patch below were landed on its own, free of context, it would be a
breaking change. But, since the "new" behavior is how the documentation claims
this feature has always worked, I'm classifying it as a patch-level bug fix. I
apologize in advance if this breaks anybody's deployment scripts, and if it
turns out to be a significant regression in practice, we can revert this change
and move it to npm@3, which is allowed to make breaking changes due to being
a new major version of semver.
2f6a1df
#1999 Only run stop and start
scripts (plus their pre- and post- scripts) when there's no restart script
defined. This makes it easier to support graceful restarts of services
managed by npm.  (@watilde /
@scien)145af65
#4887 Replace calls to the
node-gyp script bundled with npm by passing the
--node-gyp=/path/to/node-gyp option to npm. Swap in pangyp or a version
of node-gyp modified to work better with io.js without having to touch
npm's code!  (@ackalker)Following npm@2.6.1's unexpected fix of many of the issues with npm update
-g simply by making --depth=0 the default for npm outdated, friend of npm
@watilde has made several modest changes to npm's
behavior that together justify bumping npm's minor version, as well as making
npm significantly more pleasant to use:
448efd0
#2853 Add support for --dev and
--prod to npm ls, so that you can list only the trees of production or
development dependencies, as desired.
(@watilde)a0a8777
#7463 Split the list printed by
npm run-script into lifecycle scripts and scripts directly invoked via npm
run-script. (@watilde)a5edc17
#6749 init-package-json@1.3.1:
Support for passing scopes to npm init so packages are initialized as part
of that scope / organization / team. (@watilde)It turns out that quite a few pull requests had piled up on npm's issue tracker, and they included some nice small features and fixes:
f33e8b8
#7354 Add --if-present flag to
allow e.g. CI systems to call (semi-) standard build tasks defined in
package.json, but don't raise an error if no such script is defined.
(@jussi-kalliokoski)7bf85cc
#4005
#6248 Globally unlink a package
when npm rm / npm unlink is called with no arguments.
(@isaacs)a2e04bd
#7294 Ensure that when depending on
git+<proto> URLs, npm doesn't keep tacking additional git+ prefixes onto
the front. (@twhid)0f87f5e
#6422 When depending on GitHub
private repositories, make sure we construct the Git URLS correctly.
(@othiym23)50f461d
#4595 Support finding compressed
manpages. It's still up to the system to figure out how to display them,
though. (@pshevtsov)44da664
#7465 When calling git, log the
full command, with all arguments, on error.
(@thriqon)9748d5c
Add parent to error on ETARGET error.
(@davglass)37038d7
#4663 Remove hackaround for Linux
tests, as it's evidently no longer necessary.
(@mmalecki)d7b7853
#2612 Add support for path
completion on npm install, which narrows completion to only directories
containing package.json files. (@deestan)628fcdb
Remove all command completion calls to -/short, because it's been removed
from the primary registry for quite some time, and is generally a poor idea
on any registry with more than a few hundred packages.
(@othiym23)3f6061d
#6659 Instead of removing zsh
completion global, make it a local instead.
(@othiym23)5bc70e6
#7417 Provide concrete examples of
how the new npm update defaults work in practice, tied to actual test
cases. Everyone interested in using npm update -g now that it's been fixed
should read these documents, as should anyone interested in writing
documentation for npm. (@smikes)8ac6f21
#6543 Clarify npm-scripts
warnings to de-emphasize dangers of using install scripts.
(@zeke)ebe3b37
#6711 Note that git tagging of
versions can be disabled via --no-git-tag-verson.
(@smikes)2ef5771
#6711 Document git-tag-version
configuration option. (@KenanY)95e59b2
Document that NODE_ENV=production behaves analogously to --production on
npm install. (@stefaneg)687117a
#7463 Document the new script
grouping behavior in the man page for npm run-script.
(@othiym23)536b2b6
Rescue one of the the disabled tests and make it work properly.
(@smikes)89fc6a4
which@1.0.9: Test for being run as root, as well as the current user.
(@isaacs)5d0612f
glob@4.4.1: Better error message to explain why calling sync glob with a
callback results in an error. (@isaacs)64b07f6
tap@0.7.1: More accurate counts of pending & skipped tests.
(@rmg)8fda451
semver@4.3.1: Make official the fact that node-semver has moved from
@isaacs's organization to
@npm's. (@isaacs)8b98f0e
#4471 npm outdated (and only npm
outdated) now defaults to --depth=0. See the docs for
--depth
for the mildly confusing details. (@smikes)aa79194
#6565 Tweak peerDependency
deprecation warning to include which peer dependency on which package is
going to need to change. (@othiym23)5fa067f
#7171 Tweak engineStrict
deprecation warning to include which package.json is using it.
(@othiym23)0fe0caa
glob@4.4.0: Glob patterns can now ignore matches.
(@isaacs)38c4825
#5068 Add new logout command, and
make it do something useful on both bearer-based and basic-based authed
clients. (@othiym23)4bf0f5d
npm-registry-client@6.1.1: Support new logout endpoint to invalidate
token for sessions. (@othiym23)c8e08e6
#6565 Warn that peerDependency
behavior is changing and add a note to the docs.
(@othiym23)7c81a5f
#7171 Warn that engineStrict in
package.json will be going away in the next major version of npm (coming
soon!) (@othiym23)add5890
#4668 read-package-json@1.3.1:
Warn when a bin symbolic link is a dangling reference.
(@nicks)4b42071
semver@4.3.0: Add functions to extract parts of the version triple, fix a
typo. (@isaacs)a9aff38
Use full path for man pages as the symbolic link source, instead of just the
file name. (@bengl)6fd0fbd
#7233 Ensure globalconfig path
exists before trying to edit it. (@ljharb)a0a2620
ini@1.3.3: Allow embedded, quoted equals signs in ini field names.
(@isaacs)Also typos and other documentation issues were addressed by @rutsky, @imurchie, @marcin-wosinek, @marr, @amZotti, and @karlhorky. Thank you, everyone!
This release doesn't look like much, but considerable effort went into ensuring that npm's tests will pass on io.js 1.1.0 and Node 0.11.16 / 0.12.0 on both OS X and Linux.
NOTE: there are no actual changes to npm's code in npm@2.5.1. Only test
code (and the upgrade of request to the latest version) has changed.
npm-registry-mock@1.0.0:0e8d473
#7281 npm-registry-mock@1.0.0:
Clean up API, set connection: close.
(@robertkowalski)4707bba
Further update tests to work with npm-registry-mock@1.0.0.
(@othiym23)41a0f89
Got rid of completely gratuitous global config manipulation in tests.
(@othiym23)fec4c96
Allow --no-proxy to override HTTP_PROXY setting in environment.
(@othiym23)589acb9
Only set access when publshing when it's explicitly set.
(@othiym23)1027087
Add script and Makefile stanza to update AUTHORS.
(@KenanY)eeff04d
Add NPMOPTS to top-level install in Makefile to override userconfig.
(@aredridel)0d17328
fstream@1.0.4: Run chown only when necessary.
(@silkentrance)9aa4622
columnify@1.4.1: ES6ified! (@timoxley)51b2fd1
Update default version in docs/npm-config.md.
(@lucthev)npm-registry-client@6.0.7:f9313a0
#7226 Ensure that all request
settings are copied onto the agent.
(@othiym23)e186f6e
Only set access on publish when it differs from the norm.
(@othiym23)f9313a0
Allow overriding request's environment-based proxy handling.
(@othiym23)f9313a0
Properly handle retry failures on fetch.
(@othiym23)Let's accentuate the positive: the dist-tag endpoints for npm dist-tag
{add,rm,ls} are now live on the public npm registry.
f70272b
npm-registry-client@6.0.3: Properly escape JSON tag version strings and
filter _etag from CouchDB docs. (@othiym23)NOTE: This week's registry-2 commands are leading the implementation on
registry.npmjs.org a little bit, so some of the following may not work for
another week or so. Also note that npm access has documentation and
subcommands that are not yet finished, because they depend on incompletely
specified registry API endpoints. Things are coming together very quickly,
though, so expect the missing pieces to be filled in the coming weeks.
c963eb2
#7181 NEW npm access public and
npm access restricted: Toggle visibility of scoped packages.
(@othiym23)dc51810
#6243 /
#6854 NEW npm dist-tags: Directly
manage dist-tags on packages. Most notably, dist-tags can now be deleted.
(@othiym23)4c7c132
#7181 /
#6854 npm-registry-client@6.0.1:
Add new access and dist-tags endpoints
(@othiym23)29a6ef3
#6850 Be smarter about determining
base of file deletion when unbuilding. (@phated)4ad01ea
init-package-json@1.2.0: Support --save-exact in npm init.
(@gustavnikolaj)e662a60
The new whoami endpoint might not return a value.
(@othiym23)c2cccd4
npm-registry-client@5.0.0: Includes the following fine changes
(@othiym23):
98e1e10
#6791 Add caching based on
Last-Modified / If-Modified-Since headers. Includes this
npm-registry-client@5.0.0 change (@lxe):
706d49a
#7107 getCacheStat passes a stub
stat on Windows. (@rmg)5fce278
#5267 Use %COMSPEC% when set on
Windows. (@edmorley)cc2e099
#7083 Ensure Git cache prefix
exists before repo clone on Windows.
(@othiym23)c6fb430
#4197 Report umask as a 0-padded
octal literal. (@smikes)209713e
#4197 umask@1.1.0: Properly
handle umasks (i.e. not decimal numbers).
(@smikes)9eac0a1
Make the example for bin links non-destructive.
(@KevinSheedy)6338bcf
glob@4.3.5: " -> ', for some reason. (@isaacs)88c531d
#7056 version doesn't need a
package.json. (@othiym23)2656c19
#7095 Link to npm website instead
of registry. (@konklone)c76b801
#7067 Obfuscate secrets, including
nerfed URLs. (@smikes)17f66ce
#6849 Explain the tag workflow more
clearly. (@smikes)e309df6
#7096 Really, npm update -g is
almost always a terrible idea. (@smikes)acf287d
#6999 npm run-script env: add a
new default script that will print out environment values.
(@gcb)560c009
#6745 Document npm update --dev.
(@smikes)226a677
#7046 We have never been the Node
package manager. (@linclark)38eef22
npm-install-checks@1.0.5: Compatibility with npmlog@^1.
(@iarna)merry npm xmas
Working with @phated, I discovered that npm still had some lingering race conditions around how it handles Git dependencies. The following changes were intended to remedy to these issues. Thanks to @phated for all his help getting to the bottom of these.
bdf1c84
#7006 Only chown template and
top-level Git cache directories. (@othiym23)581a72d
#7006 Map Git remote inflighting to
clone paths rather than Git URLs. (@othiym23)1c48d08
#7009 normalize-git-url@1.0.0:
Normalize Git URLs while caching. (@othiym23)5423cf0
#7009 Pack tarballs to their final
locations atomically. (@othiym23)7f6557f
#7009 Inflight local directory
packing, just to be safe. (@othiym23)Other changes:
1c491e6
#6991 npm version: fix regression
in dirty-checking behavior (@rlidwka)55ceb2b
#1991 modify docs to reflect actual
npm restart behavior (@smikes)fb8e31b
#6982 when doing registry
operations, ensure registry URL always ends with /
(@othiym23)5bcba65
pull whitelisted Git environment variables out into a named constant
(@othiym23)be04bbd
#7000 No longer install badly-named
manpage files, and log an error when trying to uninstall them.
(@othiym23)6b7c5ec
#7011 Send auth for tarball fetches
for packages in npm-shrinkwrap.json from private registries.
(@othiym23)9b9de06
glob@4.3.2: Better handling of trailing slashes.
(@isaacs)030f3c7
semver@4.2.0: Diffing between version strings.
(@isaacs)a4e4e33
#6987 read-installed@3.1.5: fixed
a regression where a new / empty package would cause read-installed to throw.
(@othiym23 /
@pgilad)e5a2dee
#6951 fs-vacuum@1.2.5: Use
path-is-inside for better Windows normalization.
(@othiym23)ac6167c
#6955 Call path.normalize in
lib/utils/gently-rm.js for better Windows normalization.
(@ben-page)c625d71
#6964 Clarify CA configuration
docs. (@jeffjo)58b8cb5
#6950 Fix documentation typos.
(@martinvd)7c1299d
#6909 Remove confusing mention of
rubygems ~> semver operator. (@mjtko)7dfdcc6
#6909 semver@4.1.1: Synchronize
documentation with PR #6909
(@othiym23)adfddf3
#6925 Correct typo in
doc/api/npm-ls.md (@oddurs)f5c534b
#6920 Remove recommendation to run
as root from README.md.
(@robertkowalski)3ef4459
#6920 npm-@googlegroups.com has
gone the way of all things. That means it's gone.
(@robertkowalski)cbb890e
#6897 npm is a nice package manager
that runs server-side JavaScript. (@othiym23)d9043c3
#6893 Remove erroneous docs about
preupdate / update / postupdate lifecycle scripts, which have never existed.
(@devTristan)c5df4d0
#6884 Update npmjs.org to npmjs.com
in docs. (@linclark)cb6ff8d
#6879 npm version: Update
shrinkwrap post-check. (@othiym23)2a340bd
#6868 Use magic numbers instead of
regexps to distinguish tarballs from other things.
(@daxxog)f1c8bdb
#6861 npm-registry-client@4.0.5:
Distinguish between error properties that are part of the response and error
strings that should be returned to the user.
(@disrvptor)d3a1b63
#6762 Make npm outdated ignore
private packages. (@KenanY)16d8542
install.sh: Drop support for node < 0.8, remove engines bits.
(@isaacs)b9c6046
init-package-json@1.1.3: (@terinstock)
noticed that init.license configuration doesn't stick. Make sure that
dashed defaults don't trump dotted parameters.
(@othiym23)b6d6acf
which@1.0.8: No longer use graceful-fs for some reason.
(@isaacs)d39f673
request@2.51.0: Incorporate bug fixes. (@nylen)c7ad727
columnify@1.3.2: Incorporate bug fixes.
(@timoxley)e5b1e44
add alias verison=version (@isaacs)5eed7bd
request@2.49.0 (@nylen)e72f81d
glob@4.3.1 / minimatch@2.0.1 (@isaacs)b8dcc36
graceful-fs@3.0.5 (@isaacs)4861d28
which@1.0.7: License update. (@isaacs)30a2ea8
ini@1.3.2: License update. (@isaacs)6a4ea05
fstream@1.0.3: Propagate error events to downstream streams.
(@gfxmonk)a558695
tar@1.0.3: Don't extract broken files, propagate drain event.
(@gfxmonk)989624e
#6767 Actually pass parameters when
adding git repo to cache under Windows.
(@othiym23)657af73
#6774 When verifying paths on
unbuild, resolve both source and target as symlinks.
(@hokaccha)fd19c40
#6713
realize-package-specifier@1.3.0: Make it so that npm install foo@1 work
when a file named 1 exists. (@iarna)c8ac37a
npm-registry-client@4.0.4: Fix regression in failed fetch retries.
(@othiym23)756f3d4
#6735 Log "already built" messages
at info, not error. (@smikes)1b7330d
#6729 npm-registry-client@4.0.3:
GitHub won't redirect you through an HTML page to a compressed tarball if you
don't tell it you accept JSON responses.
(@KenanY)d9c7857
#6506
readdir-scoped-modules@1.0.1: Use graceful-fs so the whole dependency
tree gets read,  even in case of EMFILE.
(@sakana)3a085be
Grammar fix in docs. (@icylace)3f8e2ff
Did you know that npm has a Code of Conduct? Add a link to it to
CONTRIBUTING.md. (@isaacs)319ccf6
glob@4.2.1: Performance tuning. (@isaacs)835f046
readable-stream@1.0.33: Bug fixes. (@rvagg)a34c38d
request@2.48.0: Bug fixes. (@nylen)eed9f61
#6542 npm owner add / remove now
works properly with scoped packages
(@othiym23)cd25973
#6548 using sudo won't leave the
cache's git directories with bad permissions
(@othiym23)56930ab
fixed irregular npm cache ls output (yes, that's a thing)
(@othiym23)740f483
legacy tests no longer poison user's own cache
(@othiym23)ce37f14
#6169 add terse output similar to
npm publish / unpublish for npm owner add / remove
(@KenanY)bf2b8a6
#6680 pass auth credentials to
registry when downloading search index
(@terinjokes)00ecb61
#6400 .npmignore is respected for
git repos on cache / pack / publish
(@othiym23)d1b3a9e
#6311 npm ls -l --depth=0 no
longer prints phantom duplicate children
(@othiym23)07c5f34
#6690 uid-number@0.0.6: clarify
confusing names in error-handling code (@isaacs)1ac9be9
#6684 npm init: don't report
write if canceled (@smikes)7bb207d
#5754 never remove app directories
on failed install (@othiym23)705ce60
#5754 fs-vacuum@1.2.2: don't
throw when another fs task writes to a directory being vacuumed
(@othiym23)1b650f4
#6255 ensure that order credentials
are used from .npmrc doesn't regress
(@othiym23)9bb2c34
#6644 warn rather than info on
fetch failure (@othiym23)e34a7b6
#6524 npm-registry-client@4.0.2:
proxy via request more transparently
(@othiym23)40afd6a
#6524 push proxy settings into
request (@tauren)063d843
npm version now updates version in npm-shrinkwrap.json
(@faiq)3f53cd7
#6559 save local dependencies in
npm-shrinkwrap.json (@Torsph)e249262
npm-faq.md: mention scoped pkgs in namespace Q
(@smikes)6b06ec4
#6642 init-package-json@1.1.2:
Handle both init-author-name and init.author.name.
(@othiym23)9cb334c
#6409 document commit-ish with
GitHub URLs (@smikes)0aefae9
#2959 npm run no longer fails
silently (@flipside)e007a2c
#3908 include command in spawn
errors (@smikes)6750b05
#6398 npm-registry-client@4.0.0:
consistent API, handle relative registry paths, use auth more consistently
(@othiym23)7719cfd
#6560 use new npm-registry-client
API (@othiym23)ed61971
move caching of search metadata from npm-registry-client to npm itself
(@othiym23)3457041
handle caching of metadata independently from npm-registry-client
(@othiym23)20a331c
#6538 map registry URLs to
credentials more safely (@indexzero)4072e97
#6589 npm-registry-client@4.0.1:
allow publishing of packages with names identical to built-in Node modules
(@feross)254f0e4
tar@1.0.2: better error-handling (@runk)73ee2aa
request@2.47.0 (@mikeal)681b398
#6523 fix default logelevel doc
(@KenanY)80b368f
#6528 npm version should work in
a git directory without git (@terinjokes)5f5f9e4
#6483 init-package-json@1.1.1:
Properly pick up default values from environment variables.
(@othiym23)a114870
perl 5.18.x doesn't like -pi without filenames
(@othiym23)de5ba00
request@2.46.0: Tests and cleanup.
(@othiym23)76933f1
fstream-npm@1.0.1: Always include LICENSE[.*], LICENCE[.*],
CHANGES[.*], CHANGELOG[.*], and HISTORY[.*].
(@jonathanong)6a14b23
#6397 Defactor npmconf back into
npm. (@othiym23)4000e33
#6323 Install peerDependencies
from top. (@othiym23)5d119ae
#6498 Better error messages on
malformed .npmrc properties. (@nicks)ae18efb
#6093 Replace instances of 'hash'
with 'object' in documentation. (@zeke)53108b2
#1558 Clarify how local paths
should be used. (@KenanY)344fa1a
#6488 Work around bug in marked.
(@othiym23)OUTDATED DEPENDENCY CLEANUP JAMBOREE
60c2942
realize-package-specifier@1.2.0: Handle names and rawSpecs more
consistently. (@iarna)1b5c95f
sha@1.3.0: Change line endings?
(@ForbesLindesay)d7dee3f
request@2.45.0: Dependency updates, better proxy support, better compressed
response handling, lots of 'use strict'.
(@mikeal)3d75180
opener@1.4.0: Added gratuitous return.
(@Domenic)8e2703f
retry@0.6.1 / npm-registry-client@3.2.4: Change of ownership.
(@tim-kos)c87b00f
once@1.3.1: Wrap once with wrappy. (@isaacs)01ec790
npm-user-validate@0.1.1: Correct repository URL.
(@robertkowalski)389e52c
glob@4.0.6: Now absolutely requires graceful-fs.
(@isaacs)e15ab15
ini@1.3.0: Tighten up whitespace handling.
(@isaacs)7610f3e
archy@1.0.0 (@substack)9c13149
semver@4.1.0: Add support for prerelease identifiers.
(@bromanko)f096c25
graceful-fs@3.0.4: Add a bunch of additional tests, skip the unfortunate
complications of graceful-fs@3.0.3. (@isaacs)3aeb440
#6442 proxying git needs GIT_SSL_CAINFO
(@wmertens)a8da8d6
#6413 write builtin config on any
global npm install (@isaacs)9e4d632
#6343 don't pass run arguments to
pre & post scripts (@TheLudd)d831b1f
#6399 race condition: inflight
installs, prevent peerDependency problems
(@othiym23)82b775d
#6384 race condition: inflight
caching by URL rather than semver range
(@othiym23)7bee042
inflight@1.0.4: callback can take arbitrary number of parameters
(@othiym23)3bff494
#5195 fixed regex color regression
for npm search (@chrismeyersfsu)33ba2d5
#6387 allow npm view global if
package is specified (@evanlucas)99c4cfc
#6388 npm-publish →
npm-developers(7) (@kennydude)TEST CLEANUP EXTRAVAGANZA:
8d6bfcb
tap tests run with no system-wide side effects
(@chrismeyersfsu)7a1472f
added npm cache cleanup script
(@chrismeyersfsu)0ce6a37
stripped out dead test code (othiym23)BREAKING CHANGE FOR THE SQRT(i) PEOPLE ACTUALLY USING npm submodule:
1e64473
rm -rf npm submodule command, which has been broken since the Carter
Administration (@isaacs)BREAKING CHANGE IF YOU ARE FOR SOME REASON STILL USING NODE 0.6 AND YOU SHOULD NOT BE DOING THAT CAN YOU NOT:
3e431f9
joyent/node#8492 bye bye
customFds, hello stdio (@othiym23)Other changes:
ea607a8
#6372 noisily error (without
aborting) on multi-{install,build} (@othiym23)3ee2799
#6372 only make cache creation
requests in flight (@othiym23)1a90ec2
#6372 wait to put Git URLs in
flight until normalized (@othiym23)664795b
#6372 log what is and isn't in
flight (@othiym23)00ef580
inflight@1.0.3: fix largely theoretical race condition, because we really
really hate race conditions (@isaacs)1cde465
#6363
realize-package-specifier@1.1.0: handle local dependencies better
(@iarna)86f084c
realize-package-specifier@1.0.2: dependency realization! in its own module!
(@iarna)553d830
npm-package-arg@2.1.3: simplified semver, better tests
(@iarna)bec9b61
readable-stream@1.0.32: for some reason
(@rvagg)ff08ec5
dezalgo@1.0.1: use wrappy for instrumentability
(@isaacs)a1aa20e
#6282
normalize-package-data@1.0.3: don't prune bundledDependencies
(@isaacs)a1f5fe1
move locks back into cache, now path-aware
(@othiym23)a432c4b
convert lib/utils/tar.js to use atomic streams
(@othiym23)b8c3c74
fs-write-stream-atomic@1.0.2: Now works with streams1 fs.WriteStreams.
(@isaacs)c7ab76f
logging cleanup (@othiym23)4b2d95d
#6329 efficiently validate tmp
tarballs safely (@othiym23)563225d
#6318 clean up locking; prefix
lockfile with "." (@othiym23)c7f30e4
#6318 remove locking code around
tarball packing and unpacking (@othiym23)NEW FEATURE:
3635601
#5520 Add 'npm view .'.
(@evanlucas)Other changes:
f24b552
#6294 Lock cache → lock cache
target. (@othiym23)ad54450
#6296 Ensure that npm-debug.log
file is created when rollbacks are done.
(@isaacs)6810071
docs: Default loglevel "http" → "warn".
(@othiym23)35ac89a
Skip installation of installed scoped packages.
(@timoxley)e468527
Ensure cleanup executes for scripts-whitespace-windows test.
(@timoxley)ef9101b
Ensure cleanup executes for packed-scope test.
(@timoxley)69b4d18
fs-write-stream-atomic@1.0.1: Fix a race condition in our race-condition
fixer. (@isaacs)26b17ff
#6272 npmconf decides what the
default prefix is. (@othiym23)846faca
Fix development dependency is preferred over dependency.
(@andersjanmyr)9d1a9db
#3265 Re-apply a71615a. Fixes
#3265 again, with a test!
(@glasser)1d41db0
marked-man@0.1.4: Fixes formatting of synopsis blocks in man docs.
(@kapouer)a623da0
#5867 Specify dummy git template
dir when cloning to prevent copying hooks.
(@boneskull)42c872b
#5920
fs-write-stream-atomic@1.0.0 (@isaacs)6784767
#5920 make all write streams atomic
(@isaacs)f6fac00
#5920 barf on 0-length cached
tarballs (@isaacs)3b37592
write-file-atomic@1.1.0: use graceful-fs
(@iarna)74c5ab0
#6201 npmconf@2.1.0: scope
always-auth to registry URI (@othiym23)774b127
#6201 npm-registry-client@3.2.2:
use scoped always-auth settings (@othiym23)f2d2190
#6201 support saving
--always-auth when logging in (@othiym23)17c941a
#6163 use write-file-atomic
instead of fs.writeFile() (@fiws)fb5724f
#5925 npm init -f: allow npm
init to run without prompting
(@michaelnisi)b706d63
#3059 disable prepublish when
running npm install --production
(@jussi-kalliokoski)119f068
attach the node version used when publishing a package to its registry
metadata (@othiym23)8fe0081
seriously, don't use npm -g update npm
(@thomblake)ea5b3d4
request@2.44.0 (@othiym23)BREAKING CHANGES:
4378a17
semver@4.0.0: prerelease versions no longer show up in ranges; ^0.x.y
behaves the way it did in semver@2 rather than semver@3; docs have been
reorganized for comprehensibility (@isaacs)c6ddb64
npm now assumes that node is newer than 0.6
(@isaacs)Other changes:
ea515c3
#6043 slide@1.1.6: wait until all
callbacks have finished before proceeding
(@othiym23)0b0a59d
#6043 defer rollbacks until just
before the CLI exits (@isaacs)a11c88b
#6175 pack scoped packages
correctly (@othiym23)e4e48e0
#6121 read-installed@3.1.2: don't
mark linked dev dependencies as extraneous
(@isaacs)d673e41
cmd-shim@2.0.1: depend on graceful-fs directly
(@ForbesLindesay)9d54d45
npm-registry-couchapp@2.5.3: make tests more reliable on Travis
(@iarna)673d738
ensure permissions are set correctly in cache when running as root
(@isaacs)6e6a5fb
prepare for upgrade to node-semver@4.0.0
(@isaacs)ab8dd87
swap out ronn for marked-man@0.1.3 (@isaacs)803da54
npm-registry-client@3.2.0: prepare for node-semver@4.0.0 and include more
error information (@isaacs)4af0e71
make default error display less scary (@isaacs)4fd9e79
npm-registry-client@3.2.1: handle errors returned by the registry much,
much better (@othiym23)ca791e2
restore a long (always?) missing pass for deduping
(@othiym23)ca0ef0e
correctly interpret relative paths for local dependencies
(@othiym23)5eb8db2
npm-package-arg@2.1.2: support git+file:// URLs for local bare repos
(@othiym23)860a185
tweak docs to no longer advocate checking in node_modules
(@hunterloftis)80e9033
add links to nodejs.org downloads to docs
(@meetar)fa79413
#6119 fall back to registry installs
if package.json is missing in a local directory (@iarna)16073e2
npm-package-arg@2.1.0: support file URIs as local specs
(@othiym23)9164acb
github-url-from-username-repo@1.0.2: don't match strings that are already
URIs (@othiym23)4067d6b
#5629 support saving of local packages
in package.json (@dylang)1b2ffdf
#6097 document scoped packages
(@seldo)0a67d53
#6007 request@2.42.0: properly
set headers on proxy requests (@isaacs)9bac6b8
npmconf@2.0.8: disallow semver ranges in tag configuration
(@isaacs)d2d4d7c
#6082 don't allow tagging with a
semver range as the tag name (@isaacs)SPECIAL LABOR DAY WEEKEND RELEASE PARTY WOOO
ed207e8
npm-registry-client@3.1.7: Clean up auth logic and improve logging around
auth decisions. Also error on trying to change a user document without
writing to it. (@othiym23)66c7423
npmconf@2.0.7: support -C as an alias for --prefix
(@isaacs)0dc6a07
#6059 run commands in prefix, not
cwd (@isaacs)65d2179
github-url-from-username-repo@1.0.1: part 3 handle slashes in branch names
(@robertkowalski)e8d75d0
#6057 read-installed@3.1.1:
properly handle extraneous dev dependencies of required dependencies
(@othiym23)0602f70
#6064 ls: do not show deps of
extraneous deps (@isaacs)78a1fc1
github-url-from-git@1.4.0: add support for git+https and git+ssh
(@stefanbuck)bf247ed
columnify@1.2.1 (@othiym23)4bbe682
cmd-shim@2.0.0: upgrade to graceful-fs 3
(@ForbesLindesay)ae1d590
npm-package-arg@2.0.4: accept slashes in branch names
(@thealphanerd)b2f51ae
semver@3.0.1: semver.clean() is cleaner
(@isaacs)1d041a8
github-url-from-username-repo@1.0.0: accept slashes in branch names
(@robertkowalski)02c85d5
async-some@1.0.1 (@othiym23)5af493e
ensure lifecycle spawn errors caught properly
(@isaacs)60fe012
npmconf@2.0.6: init.version defaults to 1.0.0
(@isaacs)b4c717b
npm-registry-client@3.1.4: properly encode % in passwords
(@isaacs)7b55f44
doc: Fix 'npm help index' (@isaacs)685f8be
npm-registry-client@3.1.3: Print the notification header returned by the
registry, and make sure status codes are printed without gratuitous quotes
around them. (@isaacs /
@othiym23)a8cb676
#5900 remove npm from its own
engines field in package.json. None of us remember why it was there.
(@timoxley)6c47201
#5752,
#6013 save git URLs correctly in
_resolved fields (@isaacs)e4e1223
#5936 document the use of tags in
package.json (@KenanY)c92b8d4
#6004 manually installed scoped
packages are tracked correctly (@dead-horse)21ca0aa
#5945 link scoped packages
correctly (@dead-horse)16bead7
#5958 ensure that file streams work
in all versions of node (@dead-horse)dbf0cab
you can now pass quoted args to npm run-script
(@bcoe)0583874
tar@1.0.1: Add test for removing an extract target immediately after
unpacking.
(@isaacs)cdf3b04
lockfile@1.0.0: Fix incorrect interaction between wait, stale, and
retries options. Part 2 of race condition leading to ENOENT
(@isaacs)
errors.22d72a8
fstream@1.0.2: Fix a double-finish call which can result in excess FS
operations after the close event. Part 1 of race condition leading to
ENOENT errors.
(@isaacs)f23f1d8
doc: update version doc to include pre-* increment args
(@isaacs)b6bb746
build: add 'make tag' to tag current release as latest
(@isaacs)27c4bb6
build: publish with --tag=v1.4-next (@isaacs)cff66c3
build: add script to output v1.4-next publish tag
(@isaacs)22abec8
build: remove outdated docpublish make target
(@isaacs)1be4de5
build: remove unpublish step from make publish
(@isaacs)e429e20
doc: add new changelog (@othiym23)9243d20
lifecycle: test lifecycle path modification
(@isaacs)021770b
lifecycle: BREAKING CHANGE do not add the directory containing node executable
(@chulkilee)1d5c41d
install: rename .gitignore when unpacking foreign tarballs
(@isaacs)9aac267
cache: detect non-gzipped tar files more reliably
(@isaacs)3f24755
readdir-scoped-modules@1.0.0 (@isaacs)151cd2f
read-installed@3.1.0 (@isaacs)f5a9434
test: fix Travis timeouts (@dylang)126cafc
npm-registry-couchapp@2.5.0 (@othiym23)BREAKING CHANGE:
Other changes:
d987707 move fetch into
npm-registry-client (@othiym23)9b318e2 read-installed@3.0.0
(@isaacs)9d73de7 remove unnecessary
mkdirps (@isaacs)33ccd13 Don't squash execute
perms in _git-remotes/ dir (@adammeadows)48fd233 npm-package-arg@2.0.1
(@isaacs)This release bumps up to 2.0 because of this breaking change, which could potentially affect how your package's scripts are run:
Other changes:
cd422c9
#5748 link binaries for scoped
packages (@othiym23)4c3c778
#5758 npm link includes scope
when linking scoped package (@fengmk2)f9f58dd
#5707 document generic pre- /
post-commands (@sudodoki)ac7a480
#5406 npm cache displays usage
when called without arguments
(@michaelnisi)f4554e9
Test fixes for Windows (@isaacs)