Skip to content

Latest commit

 

History

History
2710 lines (2248 loc) · 121 KB

CHANGELOG.md

File metadata and controls

2710 lines (2248 loc) · 121 KB

v7.12.1 (2021-05-10)

BUG FIXES

DEPENDENCIES

  • 285976fd1 @npmcli/arborist@2.4.4
    • fix(reify): properly save spec if prerelease
  • f9f24d17c libnpmexec@1.1.1
    • fix(add): Specify 'en' locale to String.localeCompare
  • cb9f17499 glob@7.1.7
    • force 'en' locale in string sorting
  • 24b4e4a41 ignore-walk@3.0.4
    • Avoid locale-specific sorting issues
  • 1eb7e5c7d @npmcli/arborist@2.4.3
    • guard against locale-specific sorting
  • a6a826067 npm-packlist@2.2.2:
    • fix(sort): avoid locale-dependent sorting issues

v7.12.0 (2021-05-06)

FEATURES

BUG FIXES

DEPENDENCIES

  • d01ce5e13 libnpmexec@1.1.0:
    • feat: add walk up dir lookup to satisfy local bins
  • 81c1dfaaa @npmcli/arborist@2.4.2:
    • fix(add): save packages in the right place
    • fix(reify): do not clean up nodes with no parent
    • fix(audit): support alias specs & root package names
  • 87c2303ea @npmcli/git@2.0.9:
    • fix(clone): Do not allow git replacement objects by default
  • 99ff40dff npm-packlist@2.2.0:
    • feat(npmignore): Do not force include history, changelogs, notice
    • fix(package.json): add missing bin/index.js to files

v7.11.2 (2021-04-29)

BUG FIXES

DEPENDENCIES

  • fb79d89a0 tap@15.0.6
  • ce3820043 @npmcli/arborist@2.4.1
    • fix: prevent and eliminate unnecessary duplicates
    • fix: support resolvable partial intersecting peerSets

DOCUMENTATION

v7.11.1 (2021-04-23)

DEPENDENCIES

DOCUMENTATION

  • efdd7dd44 Remove unused and incorrectly documented --always-auth config definition (@isaacs)

v7.11.0 (2021-04-22)

FEATURES

BUG FIXES

DOCUMENTATION

DEPENDENCIES

v7.10.0 (2021-04-15)

FEATURES

DEPENDENCIES

  • f1e6743a6 libnpmversion@1.2.0
    • feat(retrieve-tag): retrieve unannotated git tags
    • fix(retrieve-tag): use semver to look for semver
  • 3b476a24c @npmcl/git@2.0.8
    • fix(git): do not use shell when calling git
  • dfcd0c1e2 #3069 tap@15.0.2

DOCUMENTATION

v7.9.0 (2021-04-08)

FEATURES

DEPENDENCIES

v7.8.0 (2021-04-01)

FEATURES

BUG FIXES

DEPENDENCIES

  • 61da39beb @npmcli/config@2.1.0
    • feat(config): add support for envExport:false
  • fb095a708 @npmcli/arborist@2.3.0:
    • #2896 Provide currentEdge in ERESOLVE if known, and address self-linking edge case.
    • Add/remove dependencies to/from workspaces when set, not root project
    • Only reify the portions of the dependency graph identified by the workspace configuration value.
    • Do not recursively chown the project root path.

v7.7.6 (2021-03-29)

BUG FIXES

DEPENDENCIES

  • a28f89572 libnpmversion@1.1.0
    • fix reading script-shell config on npm version lifecycle scripts
  • 03734c29e npm-packlist@2.1.5
    • fix packaging bundledDependencies
  • 80ce2a019 @npmcli/metavuln-calculator@1.1.1
    • fix error auditing package documents with missing dependencies

v7.7.5 (2021-03-25)

BUG FIXES

TESTS

v7.7.4 (2021-03-24)

BUG FIXES

v7.7.3 (2021-03-24)

BUG FIXES

  • c76f04ac2 #2925 fix(set-script): add completion (@Yash-Singh1)
  • 0379eab69 #2929 fix(install): ignore auditLevel npm install should not be affected by the auditLevel config, as the results of audit do not change its exit status. (@wraithgar)
  • 98efadeb4 #2923 fix(audit-level): add info audit level This is a valid level but wasn't configured to be allowed. Also added this param to the usage output for npm audit (@wraithgar)
  • e8d2adcf4 #2945 config should not error when workspaces are configured (@nlf)
  • aba2bc623 #2944 fix(progress): re-add progress bar to reify The logger was no longer in flatOptions, we pass it in explicitly now (@wraithgar)
  • 877b4ed29 #2946 fix(flatOptions): re-add _auth This was not being added to flatOptions, and things like npm-registry-fetch are looking for it. (@wraithgar)

v7.7.2 (2021-03-24)

BUG FIXES

DEPENDENCIES

v7.7.1 (2021-03-24)

BUG FIXES

v7.7.0 (2021-03-23)

FEATURES

BUG FIXES

DOCUMENTATION

DEPENDENCIES

  • 7b5606b93 @npmcli/arborist@2.2.9
    • #254 Honor explicit prefix when saving dependencies (@jameschensmith)
    • #255 Never save to bundleDependencies when saving a peer or peerOptional dependency. (@isaacs)
  • f76e7c21f pacote@11.3.1
    • increases tarball compression level
  • 4928512bc semver@7.3.5
    • fix handling prereleases/ANY ranges in subset
  • 1924eb457 libnpmversion@1.0.12
    • fix removing undescored-prefixed package.json properties in npm version
  • 916623056 @npmcli/run-script@1.8.4
    • fix expanding windows-style environment variables
  • a8d0751e4 npm-pick-manifest@6.1.1
    • fix running packages with a single executable binary with npm exec
  • af7eaac50 hosted-git-info@4.0.1
  • f52c51db1 @npmcli/config@2.0.0

v7.6.3 (2021-03-11)

DOCUMENTATION

DEPENDENCIES

  • 57ed390d6 @npmcli/arborist@2.2.8
    • Respect link deps when calculating peerDep sets

v7.6.2 (2021-03-09)

BUG FIXES

DEPENDENCIES

  • 7f470b5c2 @npmcli/arborist@2.2.7
    • fix(install): Do not revert a file: dep to version on bare name re-install
  • e9b7fc275 libnpmdiff@2.0.4
    • fix(diff): Gracefully handle packages with prepare script
  • c7314aa62 byte-size@7.0.1
  • 864f48d43 pacote@11.3.0

v7.6.1 (2021-03-04)

BUG FIXES

DOCUMENTATION

DEPENDENCIES

v7.6.0 (2021-02-25)

FEATURES

DEPENDENCIES

  • b9fa7e32a chore(package-lock): resetdeps and eslint@7.20.0 (@wraithgar)
  • 28d036ae9 arborist@2.2.5
    • fix: hidden lockfiles were not respected on Node v10.0-10.12

DOCUMENTATION

v7.5.6 (2021-02-22)

BUG FIXES

DOCS

DEPENDENCIES

  • f3ae6ed0d read-package-json@3.0.1, read-package-json-fast@2.0.2
  • 9b311fe52 #2736 @npmcli/arborist@2.2.4:
    • Do not rely on underscore fields in package.json files
    • Do not remove global packages when updating by name
    • Keep yarn.lock and package-lock.json more in sync

v7.5.5 (2021-02-22)

BUG FIXES

DEPENDENCIES

  • 8c36697df @npmcli/arborist@2.2.3
  • d865b101f libnpmpack@2.0.1
    • respect silent loglevel
  • e606953e5 libnpmversion@1.0.11
    • respect silent loglevel
  • 9c51005a1 npm-package-arg@8.1.1
    • do a better job of detecting git specifiers like git@github.com:npm/cli
  • 8b6bf0db4 pacote@11.2.7
    • respect silent loglevel
    • fix INVALID_URL errors for certain git dependencies

TESTS

DOCUMENTATION

v7.5.4 (2021-02-12)

BUG FIXES

DEPENDENCIES

TESTS

DOCUMENTATION

v7.5.3 (2021-02-08)

BUG FIXES

DEPENDENCIES

  • 3294fed6f pacote@11.2.5
    • prevent infinite recursion in git dep preparation
  • 0f7a3a87c read-package-json-fast@2.0.1
    • avoid duplicating optionalDependencies as dependencies in package.json
  • 6f46b0f7f init-package-json@2.0.2
  • df4f65acc @npmcli/arborist@2.2.0
  • 7038c2ff4 @npmcli/run-script@1.8.2
  • 54cd4c87a libnpmversion@1.0.8
  • 9ab36aae4 graceful-fs@4.2.5
  • e1822cf27 @npmcli/installed-package-contents@1.0.7

v7.5.2 (2021-02-02)

BUG FIXES

DEPENDENCIES

v7.5.1 (2021-02-01

BUG FIXES

DEPENDENCIES

  • 7e4e88e93 @npmcli/arborist@2.1.1, pacote@11.2.4
    • Properly raise ERESOLVE errors on root dev dependencies
    • Ignore ERESOLVE errors when performing git dep 'prepare' scripts
    • Always reinstall packages that are explicitly requested
    • fix global update all so it actually updates things
    • Install bins properly when global root is a link (@isaacs)

DOCUMENTATION

v7.5.0 (2021-01-28)

FEATURES

BUG FIXES

  • d2f8af2da #2445 publish: don't complain about missing auth until after registry is chosen (@dr-js)

DOCUMENTATION

DEPENDENCIES

  • 56c08863e hosted-git-info@3.0.8
  • 18a93f06b ssri@8.0.1
  • cb768f671 @npmcli/move-file@1.1.1
  • 32cc0a4be minipass-fetch@1.3.3
    • fixes ssl settings passthrough
  • 530997968 @npmcli/arborist@2.1.0
    • added signal handler to rollback when possible
    • prevent ERESOLVEs caused by loose root dep specs
    • detect conflicts among nested peerOptional deps
    • properly buildIdealTree when root is a symlink

v7.4.3 (2021-01-21)

DOCUMENTATION

DEPENDENCIES

v7.4.2 (2021-01-15)

DEPENDENCIES

  • e5ce6bbba
    • @npmcli/arborist@2.0.5
      • fix creating missing dirs when using --prefix and --global
      • fix omit types of deps in global installs
      • fix prioritizing npm-shrinkwrap.json over package-lock.json
      • better cache system for packuments
      • improves audit performance

v7.4.1 (2021-01-14)

BUG FIXES

  • 23df96d33 #2486 npm link no longer deletes entire project when global prefix is a symlink (@nlf)

DOCUMENTATION

DEPENDENCIES

v7.4.0 (2021-01-07)

FEATURES

BUG FIXES

DEPENDENCIES

DOCUMENTATION

7.3.0 (2020-12-18)

FEATURES

BUG FIXES

DOCS

TESTING

DEPENDENCIES

  • 4fc2f3e05 #2300 @npmcli/config@1.2.8:
    • Support setting email without username/password

7.2.0 (2020-12-15)

FEATURES

DEPENDENCIES

TESTING

7.1.2 (2020-12-11)

DEPENDENCIES

BUGFIXES

TESTING

DOCUMENTATION

7.1.1 (2020-12-08)

DEPENDENCIES

  • bf09e719c @npmcli/arborist@2.0.0
    • Much stricter tree integrity guarantees
    • Fix issues where the root project is a symlink, or linked as a workspace
  • 7ceb5b728 ini@1.3.6
  • 77c6ced2a make-fetch-happen@8.0.11
    • Avoid caching headers that are hazardous or unnecessary to leave lying around (authorization, npm-session, etc.)
    • #38 Include query string in cache key (@jpb)
  • 0ef25b6cd libnpmsearch@3.1.0:
    • Update to accept query params as options, so we can paginate. (@nlf)
  • 518a66450 @npmcli/config@1.2.4:
    • Do not allow path options to be set to a boolean false value
  • 3d7aff9d8 update all dependencies using latest npm to install them

TESTS

FEATURES

7.1.0 (2020-12-04)

FEATURES

BUG FIXES

DOCUMENTATION

DEPENDENCIES

  • def85c726 @npmcli/arborist@1.0.14
    • fixes running npm exec from file system root folder
  • 4c94673ab semver@7.3.4

7.0.15 (2020-11-27)

DEPENDENCIES

  • 00e6028ef @npmcli/arborist@1.0.13
    • do not override user-defined shorthand values when saving package.json

BUG FIXES

DOCUMENTATION

7.0.14 (2020-11-23)

DEPENDENCIES

  • 09d21ab90 @npmcli/run-script@1.8.1
    • fix a regression in how scripts are escaped

7.0.13 (2020-11-20)

BUG FIXES

DEPENDENCIES

  • 3daaf000a @npmcli/arborist@1.0.12
    • fixes some windows specific bugs in how paths are handled and compared

DOCUMENTATION

7.0.12 (2020-11-17)

BUG FIXES

DEPENDENCIES

  • b74c05d88 @npmcli/run-script@1.8.0
    • fix windows command-line argument escaping

DOCUMENTATION

7.0.11 (2020-11-13)

DEPENDENCIES

BUG FIXES

7.0.10 (2020-11-10)

DOCUMENTATION

BUG FIXES

DEPENDENCIES

  • 04a3e8c10 #1962 @npmcli/arborist@1.0.10:
    • prevent self-assignment of parent/fsParent
    • Support update options in global package space

7.0.9 (2020-11-06)

BUG FIXES

DEPENDENCIES

  • 74325f53b #2124 @npmcli/run-script@1.7.5:
    • Export the isServerPackage method
    • Proxy signals to and from foreground child processes
  • 0e58e6f6b #1984 #2079 #1923 #606 #2031 @npmcli/arborist@1.0.9:
    • Process deps for all link nodes
    • Use junctions instead of symlinks
    • Use @npmcli/move-file instead of fs.rename
  • 1dad328a1 #1865 #2106 #2084 pacote@11.1.13:
    • Properly set the installation command for prepare scripts when installing git/dir deps
  • e090d706c #2097 libnpmversion@1.0.7:
    • Do not crash when the package.json file lacks a 'version' field
  • 8fa541a10 cmark-gfm@0.8.4

7.0.8 (2020-11-03)

DOCUMENTATION

BUG FIXES

  • 6cd3cd08a Support all conf keys in publishConfig
  • a1f9be8a7 #2074 Support publishing any kind of spec, not just directories

DEPENDENCIES

  • 545382df6 libnpmpublish@4.0.0:
    • Support publishing things other than folders
  • 7d88f1719 npm-registry-fetch@9.0.0
  • 823b40a4e pacote@11.1.12
  • 90bf57826 npm-profile@5.0.2
  • e5a413577 libnpmteam@2.0.2
  • fc5aa7b4a libnpmsearch@3.0.1
  • 9fc1dee13 libnpmorg@2.0.1
  • 0ea870ec5 libnpmhook@6.0.1
  • 32fd744ea libnpmaccess@4.0.1
  • fc76f3d9f @npmcli/arborist@1.0.8
    • Fix cannot read property 'description' of undefined in npm ls when package-lock.json is corrupted
    • Do not allow peerDependencies to be nested under dependents in any circumstances
    • Always resolve peerDependencies in --prefer-dedupe mode

7.0.7 (2020-10-30)

BUG FIXES

DEPENDENCIES

  • 4156f053e @npmcli/run-script@1.7.4
    • restore the default npm start script
  • 1900ae9ad @npmcli/promise-spawn@1.3.2
    • fix errors when processing scripts as root
  • 8cb0c166c @npmcli/arborist@1.0.6
    • make sure missing bin links get set on reify

7.0.6 (2020-10-27)

BUG FIXES

DEPENDENCIES

  • 99ae633f6 libnpmversion@1.0.6
    • respect gitTagVersion = false
  • d4173f58d @npmcli/promise-spawn@1.3.1
    • do not return empty buffer when stdio is inherited
    • attach child process to returned promise
  • c09380fa5 @npmcli/run-script@1.7.3
    • forward SIGINT and SIGTERM to children that inherit stdio
  • b154861ad @npmcli/arborist@1.0.5
  • ffea6596b agent-base@6.0.2
    • support http proxy for https registries

7.0.5 (2020-10-23)

  • 77ad86b5e Merge docs deps with main project

7.0.4 (2020-10-23)

DOCUMENTATION

BUG FIXES

TESTS

DEPENDENCIES

  • ed6e6a9d3 eslint-plugin-standard@4.0.2

  • b737ee999 #2009 #2007 npm-packlist@2.1.4:

    • Maintain order in package.json files array globs
    • Strip slashes from package files list results
  • 783965508 #1997 #2000 #2005 @npmcli/arborist@1.0.4

    • Ensure that root is added when root.meta is set
    • Include all edges in explain() output when a root edge exists
    • Do not conflict on meta-peers that will not be replaced
    • Install peerOptionals if explicitly requested, or dev

7.0.3 (2020-10-20)

BUG FIXES

DOCUMENTATION

DEPENDENCIES

7.0.2 (2020-10-16)

DOCUMENTATION

BUG FIXES

DEPENDENCIES

7.0.1 (2020-10-15)

DOCUMENTATION

  • 03fca6a3b Adds docs on workspaces, explaining its basic concept and how to use it. (@ruyadorno)

BUG FIXES

DEPENDENCIES

  • 120e62736 node-gyp@7.1.1
  • 6560b8d95 @npmcli/arborist@1.0.2
    • do not drop scope information when fetching scoped package tarballs
    • fix cycles/ordering resolution when peer deps require nesting
  • 282a1e008 npm-user-validate@1.0.1
  • b259edcb4 hosted-git-info@3.0.7

v7.0.0 (2020-10-12)

BUG FIXES

DOCUMENTION

DEPENDENCIES

  • 15366a1cf npm-registry-fetch@8.1.5
  • f04a74140 init-package-json@2.0.0
    • 1de21dce0 fix: support dot-separated aliases defined in a .npmrc ini files for init-* configs (@ruyadorno)
  • a67275cd9 eslint@7.11.0
  • 6fb83b78d hosted-git-info@3.0.6
  • 1ca30cc9b libnpmfund@1.0.0
  • 28a2d2ba4 @npmcli/arborist@1.0.0
    • npm/rfcs#239 Improve handling of conflicting peerDependencies in transitive dependencies, so that --force will always accept a best effort override, and --strict-peer-deps will fail faster on conflicts.
  • 9306c6833 libnpmfund@1.0.1
  • fafb348ef npm-package-arg@8.1.0
  • 365f2e756 read-package-json@3.0.0

v7.0.0-rc.4 (2020-10-09)

  • 09b456f2d @npmcli/config@1.2.1
    • #1919 exposes npm_config_user_agent env variable (@nlf)
  • e859fba9e #1936 fix npx for non-interactive shells (@nlf)
  • 9320b8e4f #1906 restore old npx behavior of running existing bins first (@nlf)
  • 7bd47ca2c @npmcli/arborist@0.0.33
    • fixed handling of invalid package.json file
  • 02737453b make-fetch-happen@8.0.10
    • do not calculate integrity values of http errors

v7.0.0-rc.3 (2020-10-06)

v7.0.0-rc.2 (2020-10-02)

  • 6de81a013 @npmcli/run-script@1.7.2
    • Fix regression running 'install' scripts when package.json does not contain a scripts object

v7.0.0-rc.1 (2020-10-02)

  • 281a7f39a @npmcli/arborist@0.0.31
    • Allow npm update to update bundled root dependencies
    • Only do implicit node-gyp build for gyp files named binding.gyp
  • 384f5ec47 update minipass-fetch to fix many 'cb() never called' errors
  • 7b1e75906 @npmcli/run-script@1.7.1
    • Only do implicit node-gyp build for gyp files named binding.gyp
  • c20e2f0c7 #1892 Support --omit options in npm outdated

v7.0.0-rc.0 (2020-10-01)

v7.0.0-beta.13 (2020-09-29)

v7.0.0-beta.12 (2020-09-22)

  • 24f3a5448 #1811 npm ci should never save package.json or lockfile (@isaacs)
  • 5e780a5f0 remove unused spec parameter, assign error code (@nlf)
  • f019a248a Remove unused npx binary (@isaacs)
  • db157b3ce @npmcli/arborist@0.0.27
    • Resolve race condition with conflicting bin links in local installs
    • #1812 Log engine mismatches more usefully
    • #1814 Do not loop trying to resolve dependencies that fail to load
    • npm/rfcs#224 Do not automatically install optional peer dependencies
    • Add the strictPeerDeps option, defaulting to false
    • fix forwarding configs to resolve pkg spec when adding new deps
  • b3a50d275 #1846 @npmcli/run-script@1.6.0
    • This updates node-gyp to v7, allowing us to deduplicate a lot of significant dependencies.
  • a1d375f6b #1819 Add --strict-peer-deps option (@isaacs)
  • 5837a4843 #1699 Use allow/deny list in docs (@luciomartinez)

v7.0.0-beta.11 (2020-09-16)

  • 63005f4a9 #1639 npm view should not output extra newline (@MylesBorins)
  • 3743a42c8 #1750 add outdated tests (@claudiahdz)
  • 2019abdf1 #1786 add lib/link.js tests (@ruyadorno)
  • 2f8d11968 @npmcli/arborist@0.0.25
    • add meta vulnerability calculator for faster audits
    • changed parsing specs to be relative to cwd
    • fix logging script execution
    • fix properly following resolved symlinks
    • fix package.json dependencies order
  • 49b2bf5a7 @npmcli/config@1.1.8
    • fix unknown envs to be passed through
    • fix setting correct globalPrefix on load
  • f9aac351d libnpmversion@1.0.5
    • fix git ignored lockfiles

v7.0.0-beta.10 (2020-09-08)

v7.0.0-beta.9 (2020-09-04)

  • ef8f5676b #1757 view: always fetch fullMetadata, and preferOnline

  • ac5aa709a #1758 fix scope config

  • a36e2537f outdated: don't throw on non-version/tag/range dep

  • 371f0f062 @npmcli/arborist@0.0.20

    • Provide explanation objects for ERESOLVE errors
    • Support overriding certain classes of ERESOLVE errors with --force
    • Detect changes to package.json requiring package-lock dependency flag re-evaluation
  • 2a4e2e9ef #1761 Explain ERESOLVE errors

  • 8e3e83bd4 @npmcli/arborist@0.0.21

    • Remove bin links on prune
    • Remove unnecessary tree walk for workspace projects
    • Install workspaces on update:true
  • d6b134fd9 #1738 #1734 fix package spec parsing during cache add process (@mjeanroy)

  • f105eb833 npm-audit-report@2.1.4:

    • Do not crash on cyclical meta-vulnerability references
  • 03a9f569b opener@1.5.2

  • 5616a23b4 @npmcli/git@2.0.4

    • Support .git files, so that git worktrees are respected

v7.0.0-beta.8 (2020-09-01)

v7.0.0-beta.7 (2020-08-25)

v7.0.0-beta.6 (2020-08-21)

  • 707207bdd add @npmcli/config dependency

  • 5cb9a1d4d #1688 use @npmcli/config for configuration (@isaacs)

  • a4295f5db npm-registry-fetch@8.1.4:

    • Redact passwords from HTTP logs
  • a5a6a516d json-parse-even-better-errors@2.3.0:

    • Adds support for indentation/newline formatting preservation
  • a14054558 read-package-json-fast@1.2.1:

    • Adds support for indentation/newline formatting preservation
  • f8603c8af libnpmversion@1.0.4:

    • Adds support for indentation/newline formatting preservation
  • 9891fa71c read-package-json@2.1.2:

    • Adds support for indentation/newline formatting preservation
  • b44768aac #1662 #1693 #1690 @npmcli/arborist@0.0.17:

    • Load root project package.json when running loadVirtual.
    • Fetch metadata from registry when loading tree from outdated package-lock.json file. This avoids a situation where a lockfile or shrinkwrap from npm v5 would result in deleting dependencies on install.
    • Preserve package.json and package-lock.json formatting in all places where these files are written.
  • 281da6fdc tar@6.0.5

  • 1faa5b33d #1655 show usage when help-search finds no results

  • 10fcff73a #1695 fix pulseWhileDone promise handling

  • 88e4241c5 #1698 add lib/logout.js unit tests (@ruyadorno)

v7.0.0-beta.5 (2020-08-18)

v7.0.0-beta.4 (2020-08-11)

Replace some environment variables that were excluded. This implements the amendment to RFC0021.

v7.0.0-beta.3 (2020-08-10)

Bring back support for npm audit --production, fix a minor npm version annoyance, and track down a very serious issue where a project could be blown away when it matches a meta-dep in the tree.

v7.0.0-beta.2 (2020-08-07)

New notification style for updates, and a working doctor.

v7.0.0-beta.1 (2020-08-05)

Fix some issues found in the beta pubish process, and initial attempts to use npm v7 with citgm.

v7.0.0-beta.0 (2020-08-04)

Major refactoring and overhaul of, well, pretty much everything. Almost all dependencies have been updated, many have been removed, and the entire Installer class is moved into @npmcli/arborist.

Some High-level Changes and Improvements

  • You can install GitHub pull requests by adding #pull/<number> to the git url. So it'd be something like npm install github:user/project#pull/123 to install PR number 123 of the user/project git repo. You can of course also use this in dependencies, or anywhere else dependency specifiers are found.
  • Initial Workspaces support is added. If you npm install in a project with a workspaces declaration, npm will install all your sub-projects' dependencies as well, and link everything up proper.
  • npm exec is added, to run any arbitrary command as if it was an npm script. This is sort of like npx, which is also ported to use npm exec under the hood.
  • npm audit output is tightened up, and prettified. Audit can also now fix a few more classes of problems, sends far less data over the wire, and doesn't place blame on the wrong maintainers. (Technically this is a breaking change if you depend on the specific audit output, but it's also a big improvement!)
  • npm install got faster. Like a lot faster. "So fast you'll think it's broken" faster. npm ls got even fasterer. A lot of stuff sped up, is what we're saying.
  • Support has been dropped for Node.js versions less than v10.

On the "Breaking" in "Breaking Changes"

The Semantic Versioning specification precisely defines what constitutes a "breaking" change. In a nutshell, it's any change that causes a you to change your code in order to start using our code. We hasten to point this out, because a "breaking change" does not mean that something about the update is "broken", necessarily.

We're sure that some things likely are broken in this beta, because beta software, and a healthy pessimism about things. But nothing is "broken" on purpose here, and if you find a bug, we'd love for you to let us know.

Known Issues, and What's Missing From This Beta (Why Not GA?)

It's beta software!

Tests

We have not yet gotten to 100% test coverage of the npm CLI codebase. As such, there are almost certainly bugs lying in wait. We do have 100% test coverage of most of the commands, and all recently-updated dependencies in the npm stack, so it's certainly more well-tested than any version of npm before.

Docs

The documentation is incorrect and out of date in most places. Prior to a GA release, we'll be going through all of our documentation with a fine-toothed comb to minimize the lies that it tells.

Error Messaging

There are a few cases where this release will just say something failed, and not give you as much help as we'd like. We know, and we'll fix that prior to the GA 7.0.0 release.

In particular, if you install a project that has conflicting peerDependencies in the tree, it'll just say "Unable to resolve package tree". Prior to GA release, it'll tell you how to fix it. (For the time being, just run it again with --legacy-peer-deps, and that'll make it operate like npm v6.)

Audit Issue

There is a known performance issue in some cases that we've identified where npm audit can spin wildly out of control like a dancer gripped by a fever, heating up your laptop with fires of passion and CPU work. This happens when a vulnerability is in a tree with a lot of cross-linked dependencies that all depend on one another.

We have a fix for it, but if you run into this issue, you can run with --no-audit to tell npm to chill out a little bit.

That's about it! It's ready to use, and you should try it out.

Now on to the list of BREAKING CHANGES!

Programmatic Usage

  • RFC 20 The CLI and its dependencies no longer use the figgy-pudding library for configs. Configuration is done using a flat plain old JavaScript object.
  • The lib/fetch-package-metadata.js module is removed. Use pacote to fetch package metadata.
  • @npmcli/arborist should be used to do most things programmatically involving dependency trees.
  • The onload-script option is no longer supported.
  • The log-stream option is no longer supported.
  • npm.load() MUST be called with two arguments (the parsed cli options and a callback).
  • npm.root alias for npm.dir removed.
  • The package.json in npm now defines an exports field, making it no longer possible to require() npm's internal modules. (This was always a bad idea, but now it won't work.)

All Registry Interactions

The following affect all commands that contact the npm registry.

  • referer header no longer sent
  • npm-command header added

All Lifecycle Scripts

The environment for lifecycle scripts (eg, build scripts, npm test, etc.) has changed.

  • RFC 21 Environment no longer includes npm_package_* fields, or npm_config_* fields for default configs. npm_package_json, npm_package_integrity, npm_package_resolved, and npm_command environment variables added.

    (NB: this will change a bit prior to a v7.0.0 GA release)

  • RFC 22 Scripts run during the normal course of installation are silenced unless they exit in error (ie, with a signal or non-zero exit status code), and are for a non-optional dependency.

  • RFC 24 PATH environment variable includes all node_modules/.bin folders, even if found outside of an existing node_modules folder hierarchy.

  • The user, group, uid, gid, and unsafe-perms configurations are no longer relevant. When npm is run as root, scripts are always run with the effective uid and gid of the working directory owner.

  • Commands that just run a single script (npm test, npm start, npm stop, and npm restart) will now run their script even if --ignore-scripts is set. Prior to the GA v7.0.0 release, they will not run the pre/post scripts, however. (So, it'll be possible to run npm test --ignore-scripts to run your test but not your linter, for example.)

npx

The npx binary was rewritten in npm v7, and the standalone npx package deprecated when v7.0.0 hits GA. npx uses the new npm exec command instead of a separate argument parser and install process, with some affordances to maintain backwards compatibility with the arguments it accepted in previous versions.

This resulted in some shifts in its functionality:

  • Any npm config value may be provided.
  • To prevent security and user-experience problems from mistyping package names, npx prompts before installing anything. Suppress this prompt with the -y or --yes option.
  • The --no-install option is deprecated, and will be converted to --no.
  • Shell fallback functionality is removed, as it is not advisable.
  • The -p argument is a shorthand for --parseable in npm, but shorthand for --package in npx. This is maintained, but only for the npx executable. (Ie, running npm exec -p foo will be different from running npx -p foo.)
  • The --ignore-existing option is removed. Locally installed bins are always present in the executed process PATH.
  • The --npm option is removed. npx will always use the npm it ships with.
  • The --node-arg and -n options are removed.
  • The --always-spawn option is redundant, and thus removed.
  • The --shell option is replaced with --script-shell, but maintained in the npx executable for backwards compatibility.

We do intend to continue supporting the npx that npm ships; just not the npm install -g npx library that is out in the wild today.

Files On Disk

  • RFC 13 Installed package.json files no longer are mutated to include extra metadata. (This extra metadata is stored in the lockfile.)
  • package-lock.json is updated to a newer format, using "lockfileVersion": 2. This format is backwards-compatible with npm CLI versions using "lockfileVersion": 1, but older npm clients will print a warning about the version mismatch.
  • yarn.lock files used as source of package metadata and resolution guidance, if available. (Prior to v7, they were ignored.)

Dependency Resolution

These changes affect install, ci, install-test, install-ci-test, update, prune, dedupe, uninstall, link, and audit fix.

  • RFC 25 peerDependencies are installed by default. This behavior can be disabled by setting the legacy-peer-deps configuration flag.

    BREAKING CHANGE: this can cause some packages to not be installable, if they have unresolveable peer dependency conflicts. While the correct solution is to fix the conflict, this was not forced upon users for several years, and some have come to rely on this lack of correctness. Use the --legacy-peer-deps config flag if impacted.

  • RFC 23 Support for acceptDependencies is added. This can result in dependency resolutions that previous versions of npm will incorrectly flag as invalid.

  • Git dependencies on known git hosts (GitHub, BitBucket, etc.) will always attempt to fetch package contents from the relevant tarball CDNs if possible, falling back to git+ssh for private packages. resolved value in package-lock.json will always reflect the git+ssh url value. Saved value in package.json dependencies will always reflect the canonical shorthand value.

  • Support for the --link flag (to install a link to a globall-installed copy of a module if present, otherwise install locally) has been removed. Local installs are always local, and npm link <pkg> must be used explicitly if desired.

  • Installing a dependency with the same name as the root project no longer requires --force. (That is, the ENOSELF error is removed.)

Workspaces

  • RFC 26 First phase of workspaces support is added. This changes npm's behavior when a root project's package.json file contains a workspaces field.

npm update

  • RFC 19 Update all dependencies when npm update is run without any arguments. As it is no longer relevant, --depth config flag removed from npm update.

npm outdated

  • RFC 27 Remove --depth config from npm outdated. Only top-level dependencies are shown, unless --all config option is set.

npm adduser, npm login

  • The --sso options are deprecated, and will print a warning.

npm audit

  • Output and data structure is significantly refactored to call attention to issues, identify classes of fixes not previously available, and remove extraneous data not used for any purpose.

    BREAKING CHANGE: Any tools consuming the output of npm audit will almost certainly need to be updated, as this has changed significantly, both in the readable and --json output styles.

npm dedupe

  • Performs a full dependency tree reification to disk. As a result, npm dedupe can cause missing or invalid packages to be installed or updated, though it will only do this if required by the stated dependency semantics.

  • Note that the --prefer-dedupe flag has been added, so that you may install in a maximally deduplicated state from the outset.

npm fund

  • Human readable output updated, reinstating depth level to the printed output.

npm ls

  • Extraneous dependencies are listed based on their location in the node_modules tree.
  • npm ls only prints the first level of dependencies by default. You can make it print more of the tree by using --depth=<n> to set a specific depth, or --all to print all of them.

npm pack, npm publish

  • Generated gzipped tarballs no longer contain the zlib OS indicator. As a result, they are truly dependent only on the contents of the package, and fully reproducible. However, anyone relying on this byte to identify the operating system of a package's creation may no longer rely on it.

npm rebuild

  • Runs package installation scripts as well as re-creating links to bins. Properly respects the --ignore-scripts and --bin-links=false configuration options.

npm build, npm unbuild

  • These two internal commands were removed, as they are no longer needed.

npm test

  • When no test is specified, will fail with missing script: test rather than injecting a synthetic echo 'Error: no test specified' test script into the package.json data.

Credits

Huge thanks to the people who wrote code for this update, as well as our group of dedicated Open RFC call participants. Your participation has contributed immeasurably to the quality and design of npm.