Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build: bump npm from 5.5.1 to 5.7.1 #1131

Closed
wants to merge 1 commit into from
Closed

build: bump npm from 5.5.1 to 5.7.1 #1131

wants to merge 1 commit into from

Conversation

dependabot-preview[bot]
Copy link
Contributor

Bumps npm from 5.5.1 to 5.7.1.

Release notes

Sourced from npm's releases.

v5.7.1

This release reverts a patch that could cause some ownership changes on system files when running from some directories when also using sudo. 😲

Thankfully, it only affected users running npm@next, which is part of our staggered release system, which we use to prevent issues like this from going out into the wider world before we can catch them. Users on latest would have never seen this!

The original patch was added to increase consistency and reliability of methods npm uses to avoid writing files as root in places it shouldn't, but the change was applied in places that should have used regular mkdirp`. This release reverts that patch.

v5.7.0

Hey y'all, it's been a while. Expect our release rate to increase back to normal here, as we've got a lot in the pipeline. Right now we've got a bunch of things from folks at npm. In the next release we'll be focusing on user contributions and there are a lot of them queued up!

This release brings a bunch of exciting new features and bug fixes.

PACKAGE-LOCK GIT MERGE CONFLICT RESOLUTION

Allow npm install to fix package-lock.json and npm-shrinkwrap.json files that have merge conflicts in them without your having to edit them. It works in conjunction with npm-merge-driver to entirely eliminate package-lock merge conflicts.

NPM CI

The new npm ci command installs from your lock-file ONLY. If your package.json and your lock-file are out of sync then it will report an error.

It works by throwing away your node_modules and recreating it from scratch.

Beyond guaranteeing you that you'll only get what is in your lock-file it's also much faster (2x-10x!) than npm install when you don't start with a node_modules.

As you may take from the name, we expect it to be a big boon to continuous integration environments. We also expect that folks who do production deploys from git tags will see major gains.

OTHER NEW FEATURES

BIG FIXES TO PRUNING

  • 827951590 Handle running npm install package-name with a node_modules containing packages without sufficient metadata to verify their origin. The only way to get install packages like this is to use a non-npm package manager. Previously npm removed any packages that it couldn't verify. Now it will leave them untouched as long as you're not asking for a full install. On a full install they will be reinstalled (but the same versions will be maintained).

    This will fix problems for folks who are using a third party package manager to install packages that have postinstall scripts that run npm install. ([iarna](https://github.com/iarna))

  • 3b305ee71 Only auto-prune on installs that will create a lock-file. This restores npm@4 compatible behavior when the lock-file is disabled. When using a lock-file npm will continue to remove anything in your node_modules that's not in your lock-file. ([iarna](https://github.com/iarna))

  • cec5be542 Fix bug where npm prune --production would remove dev deps from the lock file. It will now only remove them from node_modules not from your lock file. ([iarna](https://github.com/iarna))

  • 857dab03f Fix bug where git dependencies would be removed or reinstalled when installing other dependencies. ([iarna](https://github.com/iarna))

BUG FIXES TO TOKENS AND PROFILES

  • a66e0cd03 For CIDR filtered tokens, allow comma separated CIDR ranges, as documented. Previously you could only pass in multiple cidr ranges with multiple --cidr command line options. ([iarna](https://github.com/iarna))
    ... (truncated)
Changelog

Sourced from npm's changelog.

v5.7.1 (2018-02-22):

This release reverts a patch that could cause some ownership changes on system
files when running from some directories when also using sudo. 😲

Thankfully, it only affected users running npm@next, which is part of our
staggered release system, which we use to prevent issues like this from going
out into the wider world before we can catch them. Users on latest would have
never seen this!

The original patch was added to increase consistency and reliability of methods
npm uses to avoid writing files as root in places it shouldn't, but the change
was applied in places that should have used regular mkdirp. This release
reverts that patch.

v5.7.0 (2018-02-20):

Hey y'all, it's been a while. Expect our release rate to increase back to
normal here, as we've got a lot in the pipeline. Right now we've got a
bunch of things from folks at npm. In the next release we'll be focusing on
user contributions and there are a lot of them queued up!

This release brings a bunch of exciting new features and bug fixes.

PACKAGE-LOCK GIT MERGE CONFLICT RESOLUTION

Allow npm install to fix package-lock.json and npm-shrinkwrap.json
files that have merge conflicts in them without your having to edit them.
It works in conjunction with
npm-merge-driver to
entirely eliminate package-lock merge conflicts.

NPM CI

The new npm ci command installs from your lock-file ONLY. If your
package.json and your lock-file are out of sync then it will report an error.

It works by throwing away your node_modules and recreating it from scratch.

Beyond guaranteeing you that you'll only get what is in your lock-file it's
... (truncated)

Commits
  • 8452a9d 5.7.1
  • 7dff9d6 doc: update changelog for npm@5.7.1
  • 74e149d Revert "*: Switch from mkdirp to correctMkdir to preserve perms and owners"
  • d3095ff 5.7.0
  • b3ecd3d update AUTHORS
  • c493181 doc: changelog for 5.7.0
  • 259012e install/deps: Pass our logger through to removeObsoleteDep from earliestInsta...
  • 6954dfc install: Regenerate the logical tree after loading our lockfile
  • 9bc6230 libcipm@1.3.3
  • 4f5327c auth: Add support for web-based logins
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

If you'd like to skip this version, you can just close this PR. If you have any feedback just mention @dependabot in the comments below.

@dependabot-support
build: bump npm from 5.5.1 to 5.7.1
437f700 
Bumps [npm](https://github.com/npm/npm) from 5.5.1 to 5.7.1.
- [Release notes](https://github.com/npm/npm/releases)
- [Changelog](https://github.com/npm/npm/blob/latest/CHANGELOG.md)
- [Commits](npm/npm@v5.5.1...v5.7.1)

Signed-off-by: dependabot[bot] <support@dependabot.com>
@IGassmann IGassmann assigned IGassmann and unassigned liamcardenas Mar 21, 2018
@IGassmann IGassmann closed this Mar 21, 2018
@dependabot-preview
Copy link
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot-preview dependabot-preview bot deleted the dependabot/npm_and_yarn/npm-5.7.1 branch March 21, 2018 18:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@IGassmann IGassmann

Labels
dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@IGassmann @liamcardenas @dependabot-support