Maybe upgrade to npm 2.5.1 before releasing 0.12.0

[misterdjules]

It seems that npm 2.3.0 introduced a regression that breaks npm users who are behind man-in-the-middle SSL proxies. See npm/npm#7237 for details.

Should we upgrade to the first npm release that contains the fix (2.5.0) before 0.12.0?

@othiym23 What do you suggest?

[othiym23]

I am 100% behind this plan, assuming that we can come up with a plan to vet npm@2.5.0 to your satisfaction. I haven't been able to fix the issue you found with the tests (although @isaacs gave me a good suggestion for how I might deal with it), but aside from that the proxy and SSL fixes that are in that release would be very good to have in everyone's hands.

Should I submit it as a PR?

[misterdjules]

@othiym23 I'm trying to determine the severity of npm/npm#7237. I initially thought it would affect a lot of people, but from the low activity in this issue, I would now think it's not a severe issue. What's your opinion?

If this issue does not affect a significant number of users, I don't see it as a reason to upgrade to npm 2.5.0 before 0.12.0 is released.

[othiym23]

I leave it as a judgment call to you, @misterdjules, although I would be inclined to wait if it were up to me. The real breakage there isn't actually --strict-ssl; it's because we started using an http(s).Agent without setting all of the SSL parameters on that agent. What this means is that anyone using a custom CA, cert, or key will not see that honored in their requests. Because this typically only affects people using private registries / registry services or corporate firewalls, and enterprise users tend to lag on adoption a little, I have a feeling we're not seeing the full severity of the problem on that issue.

I'd point out that npm@2.5.0 will be stable as of Thursday (and if you want to start testing npm@2.5.0 for the release, I'm happy to support you).

[misterdjules]

@othiym23 Thank you for the additional info.

If no serious problem has been found in npm 2.5.0 since your latest comment in this issue, we're going to upgrade to npm 2.5.0 before the next release. We'd like to do it today, so if you don't have the time to do it, I can take care of it.

Thank you again for all your help!

[misterdjules]

Some tests are failing with npm 2.5.0 when ran with a node binary built from the v0.12 branch. npm just released 2.5.1 with all tests passing. Thus, instead of upgrading to npm 2.5.0, npm will be upgraded to 2.5.1.

[misterdjules]

Fixed by 087a751, thanks for your support @othiym23!