a9e722118#20256 Add support for managing npm webhooks. This brings over functionality previously provided by thewombatCLI. (@zkat)8a1a64203#20126 Addnpm citcommand that's equivalent ofnpm ci && npm tthat's equivalent ofnpm it. (@SimenB)fe867aaf149d18b4d8ff6b31f7778eab3cdaTherequiresfield in your lock-file will be upgraded to use ranges from versions on your first use of npm. (@iarna)cf4d7b4de#20257 Add shasum and integrity to the newnpm viewoutput. (@zkat)
-
685764308Fix a bug where OTPs passed in via the commandline would have leading zeros deleted resulted in authentication failures. (@iarna) -
8f3faa3236800f76ffec90c06c7825b5d2c64785f13fbbd16485f5Restore the ability to bundle dependencies that are uninstallable from the registry. This also eliminates needless registry lookups for bundled dependencies.Fixed a bug where attempting to install a dependency that is bundled inside another module without reinstalling that module would result in ENOENT errors. (@iarna)
-
429498a8c#20029 Allow packages with non-registry specifiers to follow the fast path that the we use with the lock-file for registry specifiers. This will improve install time especially when operating only on the package-lock (--package-lock-only). (@zkat)Fix the a bug where
npm i --only=prodcould remove development dependencies from lock-file. (@iarna) -
834b46ff4#20122 Improve the update-notifier messaging (borrowing ideas from pnpm) and eliminate false positives. (@zkat) -
f9de7ef3a#20154 Let version succeed whenpackage-lock.jsonis gitignored. (@nwoltman) -
f8ec52073#20212 Ensure that we only create anetcdirectory if we are actually going to write files to it. (@buddydvd) -
ab489b753#20140 Note in documentation thatpackage-lock.jsonversion gets touched bynpm version. (@srl295) -
857c2138d#20032 Fix bug where unauthenticated errors would get reported as both 404s and 401s, i.e.npm ERR! 404 Registry returned 401. In these cases the error message will now be much more informative. (@iarna) -
d2d290bca#20082 Allow optional @ prefix on scope withnpm teamcommands for parity with other commands. (@bcoe) -
b5babf0a9#19580 Improve messaging when two-factor authentication is required while publishing. (@jdeniau) -
471ee1c5b0da38b7b4Fix a bug where optional status of a dependency was not being saved to the package-lock on the initial install. (@iarna) -
b3f98d8ba9dea95e31Ensure that--no-optionaldoes not remove optional dependencies from the lock-file. (@iarna)
73dc97455zkat/cipm#46libcipm@1.6.2: Detect binding.gyp for default install lifecycle. Let'snpm ciwork on projects that have their own C code. (@caleblloyd)77c3f7a00iferr@1.0.0dce733e37zkat/json-parse-better-errors#1json-parse-better-errors@1.0.2(@Hoishin)c52765ff3readable-stream@2.3.6(@mcollina)e160adf9fupdate-notifier@2.4.0(@sindersorhus)9a9d7809emarked@0.3.1(@joshbruce)f2fbd8577#20256figgy-pudding@2.0.1(@zkat)44972d53d#20256libnpmhook@3.0.0(@zkat)cfe562c58#20276node-gyp@3.6.23c0bbcb8ezkat/npx#172libnpx@10.1.1(@jdalton)0573d91e5zkat/cacache#128cacache@11.0.1(@zkat)396afa99ffiggy-pudding@3.1.0(@zkat)e7f869c36pacote@8.0.0(@zkat)77dac72dfssri@6.0.0(@zkat)0b802f2a0retry@0.12.0(@iarna)4781b64bclibnpmhook@4.0.1(@zkat)7bdbaeea6npm-package-arg@6.1.0(@zkat)5f2bf4222read-package-tree@5.2.1(@zkat)
Sometimes major releases are a big splash, sometimes they're something
smaller. This is the latter kind. That said, we expect to keep this in
release candidate status until Node 10 ships at the end of April. There
will likely be a few more features for the 6.0.0 release line between now
and then. We do expect to have a bigger one later this year though, so keep
an eye out for npm@7!
When selecting versions to install, we now avoid deprecated versions if possible. For example:
Module: example
Versions:
1.0.0
1.1.0
1.1.2
1.1.3 (deprecated)
1.2.0 (latest)
If you ask npm to install example@~1.1.0, npm will now give you 1.1.2.
By contrast, if you installed example@~1.1.3 then you'd get 1.1.3, as
it's the only version that can match the range.
When npm install is finding a version to install, it first checks to see
if the specifier you requested matches the latest tag. If it doesn't,
then it looks for the highest version that does. This means you can do
release candidates on tags other than latest and users won't see them
unless they ask for them. Promoting them is as easy as setting the latest
tag to point at them.
Historically npm update and npm outdated worked differently. They just
looked for the most recent thing that matched the semver range, disregarding
the latest tag. We're changing it to match npm install's behavior.
3aaa6ef42Make update and outdated respect latest interaction with semver as install does. (@iarna)e5fbbd2c9npm-pick-manifest@2.1.0(@iarna)
Technically this is a bug fix, but the change in behavior is enough of an edge case that I held off on bringing it in until a major version.
When we extract a binary and it starts with a shebang (or "hash bang"), that is, something like:
#!/usr/bin/env node
If the file has Windows line endings we strip them off of the first line. The reason for this is that shebangs are only used in Unix-like environments and the files with them can't be run if the shebang has a Windows line ending.
Previously we converted ALL line endings from Windows to Unix. With this patch we only convert the line with the shebang. (Node.js works just fine with either set of line endings.)
8146583717265198ebbin-links@1.1.2: Only rewrite the CR after a shebang (if any) when fixing up CR/LFs. (@iarna)
Per our supported Node.js policy, we're dropping support for both Node 4 and Node 7, which are no longer supported by the Node.js project.