Skip to content

Commit

Permalink
deps: upgrade to npm 2.14.2
Browse files Browse the repository at this point in the history
PR-URL: #2696
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
  • Loading branch information
zkat authored and rvagg committed Sep 6, 2015
1 parent b4f1711 commit d15ba80
Show file tree
Hide file tree
Showing 499 changed files with 7,132 additions and 11,981 deletions.
2 changes: 0 additions & 2 deletions deps/npm/.npmrc

This file was deleted.

7 changes: 7 additions & 0 deletions deps/npm/AUTHORS
Original file line number Diff line number Diff line change
Expand Up @@ -301,3 +301,10 @@ Thaddee Tyl <thaddee.tyl@gmail.com>
Steve Klabnik <steve@steveklabnik.com>
Andrew Murray <radarhere@gmail.com>
Stephan Bönnemann <stephan@excellenteasy.com>
Kyle M. Tarplee <kyle.tarplee@numerica.us>
Derek Peterson <derekpetey@gmail.com>
Greg Whiteley <greg.whiteley@atomos.com>
murgatroid99 <mlumish@google.com>
Marcin Cieslak <saper@saper.info>
João Reis <reis@janeasystems.com>
Matthew Hasbach <hasbach.git@gmail.com>
276 changes: 274 additions & 2 deletions deps/npm/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,277 @@
### v2.14.2 (2015-08-27):

#### GETTING THAT PESKY `preferGlobal` WARNING RIGHT

So apparently the `preferGlobal` option hasn't quite been warning correctly for
some time. But now it should be all better! tl;dr: if you try and install a
dependency with `preferGlobal: true`, and it's _not already_ in your
`package.json`, you'll get a warning that the author would really rather you
install it with `--global`. :)

* [`bbb25f3`](https://github.com/npm/npm/commit/bbb25f30d582f8979168c79233a9f8f840974f90)
[#8841](https://github.com/npm/npm/issues/8841)
[#9409](https://github.com/npm/npm/issues/9409) The `preferGlobal`
warning shouldn't happen if the dependency being installed is listed in
`devDependencies`. ([@saper](https://github.com/saper))
* [`222fcec`](https://github.com/npm/npm/commit/222fcec85ccd30d35899e5037079fb14625af4e2)
[#9409](https://github.com/npm/npm/issues/9409) `preferGlobal` now prints a
warning when there are no dependencies for the current package.
([@zkat](https://github.com/zkat))
* [`5cfed6d`](https://github.com/npm/npm/commit/5cfed6d7a1a5f2731688cfc8293b5e43a6355393)
[#9409](https://github.com/npm/npm/issues/9409) Verify that
`preferGlobal` is warning as expected (when a `preferGlobal` dependency is
installed, but isn't listed in either `dependencies` or `devDependencies`).
([@zkat](https://github.com/zkat))

#### BUMP +1

* [`eeafce2`](https://github.com/npm/npm/commit/eeafce2d06883c0f51bf403415b6bc5f2647eba3)
`validate-npm-package-license@3.0.1`: Include additional metadata in parsed license object,
useful for license checkers. ([@kemitchell](https://github.com/kemitchell))
* [`1502a28`](https://github.com/npm/npm/commit/1502a285f84aa548806b3eafc8889e6288e810f3)
`normalise-package-data@2.3.2`: Updated to use `validate-npm-package-license@3.0.1`.
([@othiym23](https://github.com/othiym23))
* [`cbde823`](https://github.com/npm/npm/commit/cbde8233436bf0ea62a4740869b4990322c20659)
`init-package-json@1.9.1`: Add a `silent` option to suppress output on writing the
generated `package.json`. Also, updated to use `validate-npm-package-license@3.0.1`.
([@zkat](https://github.com/zkat))
* [`08fda46`](https://github.com/npm/npm/commit/08fda465452b4d77f1ced8050ee3a35a77fc30a5)
`tar@2.2.0`: Minor improvements. ([@othiym23](https://github.com/othiym23))
* [`dc2f20b`](https://github.com/npm/npm/commit/dc2f20b53fff77203139c863b48da0e959df2ac9)
`rimraf@2.4.3`: `EPERM` now triggers a delay / retry loop (since Windows throws
this when things still hold a handle). ([@isaacs](https://github.com/isaacs))
* [`e8acb27`](https://github.com/npm/npm/commit/e8acb273aa67ee0394d0431650e1b2a7d09c8554)
`read@1.0.7`: Fix licensing ambiguity. ([@isaacs](https://github.com/isaacs))

#### OTHER STUFF THAT'S RELEVANT

* [`73a1ee0`](https://github.com/npm/npm/commit/73a1ee0be90fa1928521b63f28bef83b8ffab61d)
[#9386](https://github.com/npm/npm/issues/9386) Include additional unignorable files in
documentation.
([@mjhasbach](https://github.com/mjhasbach))
* [`0313e40`](https://github.com/npm/npm/commit/0313e40ee0f757fce8861be590ad668c23d7be53)
[#9396](https://github.com/npm/npm/issues/9396) Improve the `EISDIR` error
message returned by npm's error-handling code to give users a better hint of
what's most likely going on. Usually, error reports with this error code are
about people trying to install things without a `package.json`.
([@KenanY](https://github.com/KenanY))
* [`2677457`](https://github.com/npm/npm/commit/26774579c739c5951351e58263cf4d6ea3d66ec8)
[#9360](https://github.com/npm/npm/issues/9360) Make it easier to run
only _some_ of npm tests with lifecycle scripts via `npm tap test/tap/testname.js`.
([@iarna](https://github.com/iarna))

### v2.14.1 (2015-08-20):

#### SECURITY FIX

There are patches for two information leaks of moderate severity in `npm@2.14.1`:

1. In some cases, npm was leaking sensitive credential information into the
child environment when running package and lifecycle scripts. This could
lead to packages being published with files (most notably `config.gypi`, a
file created by `node-gyp` that is a cache of environmental information
regenerated on every run) containing the bearer tokens used to authenticate
users to the registry. Users with affected packages have been notified (and
the affected tokens invalidated), and now npm has been modified to not
upload files that could contain this information, as well as scrubbing the
sensitive information out of the environment passed to child scripts.
2. Per-package `.npmrc` files are used by some maintainers as a way to scope
those packages to a specific registry and its credentials. This is a
reasonable use case, but by default `.npmrc` was packed into packages,
leaking those credentials. npm will no longer include `.npmrc` when packing
tarballs.

If you maintain packages and believe you may be affected by either
of the above scenarios (especially if you've received a security
notification from npm recently), please upgrade to `npm@2.14.1` as
soon as possible. If you believe you may have inadvertently leaked
your credentials, upgrade to `npm@2.14.1` on the affected machine,
and run `npm logout` and then `npm login`. Your access tokens will be
invalidated, which will eliminate any risk posed by tokens inadvertently
included in published packages. We apologize for the inconvenience this
causes, as well as the oversight that led to the existence of this issue
in the first place.

Huge thanks to [@ChALkeR](https://github.com/ChALkeR) for bringing these
issues to our attention, and for helping us identify affected packages
and maintainers. Thanks also to the Node.js security working group for
their coördination with the team in our response to this issue. We
appreciate everybody's patience and understanding tremendously.

* [`b9474a8`](https://github.com/npm/npm/commit/b9474a843ca55b7c5fac6da33989e8eb39aff8b1)
`fstream-npm@1.0.5`: Stop publishing build cruft (`config.gypi`) and per-project
`.npmrc` files to keep local configuration out of published packages.
([@othiym23](https://github.com/othiym23))
* [`13c286d`](https://github.com/npm/npm/commit/13c286dbdc3fa8fec4cb79fc4d1ee505c8a41b2e)
[#9348](https://github.com/npm/npm/issues/9348) Filter "private"
(underscore-prefixed, even when scoped to a registry) configuration values
out of child environments. ([@othiym23](https://github.com/othiym23))

#### BETTER WINDOWS INTEGRATION, ONE STEP AT A TIME

* [`e40e71f`](https://github.com/npm/npm/commit/e40e71f2f838a8a42392f44e3eeec04e323ab743)
[#6412](https://github.com/npm/npm/issues/6412) Improve the search strategy
used by the npm shims for Windows to prioritize your own local npm installs.
npm has really needed this tweak for a long time, so hammer on it and let us
know if you run into issues, but with luck it will Just Work.
([@joaocgreis](https://github.com/joaocgreis))
* [`204ebbb`](https://github.com/npm/npm/commit/204ebbb3e0cab696a429a878ceeb4a7e78ec2b94)
[#8751](https://github.com/npm/npm/issues/8751)
[#7333](https://github.com/npm/npm/issues/7333) Keep [autorun
scripts](https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx) from
interfering with npm package and lifecycle script execution on Windows by
adding `/d` and `/s` when invoking `cmd.exe`.
([@saper](https://github.com/saper))

#### IT SEEMED LIKE AN IDEA AT THE TIME

* [`286f3d9`](https://github.com/npm/npm/commit/286f3d97103812f0fd84b70352addbe899e258f9)
[#9201](https://github.com/npm/npm/pull/9201) For a while npm was building
HTML partials for use on [`docs.npmjs.com`](https://docs.npmjs.com), but we
weren't actually using them. Stop building them, which makes running the full
test suite and installation process around a third faster.
([@isaacs](https://github.com/isaacs))

#### A SINGLE LONELY DEPENDENCY UPGRADE

* [`b343b95`](https://github.com/npm/npm/commit/b343b956ef777e321e4251ddc96ec6d80827d9e2)
`request@2.61.0`: Bug fixes and keep-alive tweaks.
([@simov](https://github.com/simov))

### v2.14.0 (2015-08-13):

#### IT'S HERE! KINDA!

This release adds support for teens and orcs (err, teams and organizations) to
the npm CLI! Note that the web site and registry-side features of this are
still not ready for public consumption.

A beta should be starting in the next couple of weeks, and the features
themselves will become public once all that's done. Keep an eye out for more
news!

All of these changes were done under [`#9011`](https://github.com/npm/npm/pull/9011):

* [`6424170`](https://github.com/npm/npm/commit/6424170fc17c666a6efc090370ec691e0cab1792)
Added new `npm team` command and subcommands.
([@zkat](https://github.com/zkat))
* [`52220d1`](https://github.com/npm/npm/commit/52220d146d474ec29b683bd99c06f75cbd46a9f4)
Added documentation for new `npm team` command.
([@zkat](https://github.com/zkat))
* [`4e66830`](https://github.com/npm/npm/commit/4e668304850d02df8eb27a779fda76fe5de645e7)
Updated `npm access` to support teams and organizations.
([@zkat](https://github.com/zkat))
* [`ea3eb87`](https://github.com/npm/npm/commit/ea3eb8733d9fa09ce34106b1b19fb1a8f95844a5)
Gussied up docs for `npm access` with new commands.
([@zkat](https://github.com/zkat))
* [`6e0b431`](https://github.com/npm/npm/commit/6e0b431c1de5e329c86e57d097aa88ebfedea864)
Fix up `npm whoami` to make the underlying API usable elsewhere.
([@zkat](https://github.com/zkat))
* [`f29c931`](https://github.com/npm/npm/commit/f29c931012ce5ccd69c29d83548f27e443bf7e62)
`npm-registry-client@7.0.1`: Upgrade `npm-registry-client` API to support
`team` and `access` calls against the registry.
([@zkat](https://github.com/zkat))

#### A FEW EXTRA VERSION BUMPS

* [`c977e12`](https://github.com/npm/npm/commit/c977e12cbfa50c2f52fc807f5cc19ba1cc1b39bf)
`init-package-json@1.8.0`: Checks for some `npm@3` metadata.
([@iarna](https://github.com/iarna))
* [`5c8c9e5`](https://github.com/npm/npm/commit/5c8c9e5ae177ba7d0d298cfa42f3fc7f0271e4ec)
`columnify@1.5.2`: Updated some dependencies.
([@timoxley](https://github.com/timoxley))
* [`5d56742`](https://github.com/npm/npm/commit/5d567425768b75aeab402c817a53d8b2bc60d8de)
`chownr@1.0.1`: Tests, docs, and minor style nits.
([@isaacs](https://github.com/isaacs))

#### ALSO A DOC FIX

* [`846fcc7`](https://github.com/npm/npm/commit/846fcc79b86984b109a97366b0422f995a45f8bf)
[`#9200`](https://github.com/npm/npm/pull/9200) Remove single quotes
around semver range, thus making it valid semver.
([@KenanY](https://github.com/KenanY))

### v2.13.5 (2015-08-07):

This is another quiet week for the `npm@2` release.
[@zkat](https://github.com/zkat) has been working hard on polishing the CLI
bits of the registry's new feature to support direct management of teams and
organizations, and [@iarna](https://github.com/iarna) continues to work through
the list of issues blocking the general release of `npm@3`, which is looking
more and more solid all the time.

[@othiym23](https://github.com/othiym23) and [@zkat](https://github.com/zkat)
have also been at this week's Node.js / io.js [collaborator
summit](https://github.com/nodejs/summit/tree/master), both as facilitators and
participants. This is a valuable opportunity to get some face time with other
contributors and to work through a bunch of important discussions, but it does
leave us feeling kind of sleepy. Running meetings is hard!

What does that leave for this release? A few of the more tricky bug fixes that
have been sitting around for a little while now, and a couple dependency
upgrades. Nothing too fancy, but most of these were contributed by developers
like _you_, which we think is swell. Thanks!

#### BUG FIXES

* [`d7271b8`](https://github.com/npm/npm/commit/d7271b8226712479cdd339bf85faf7e394923e0d)
[#4530](https://github.com/npm/npm/issues/4530) The bash completion script
for npm no longer alters global completion behavior around word breaks.
([@whitty](https://github.com/whitty))
* [`c9ce294`](https://github.com/npm/npm/commit/c9ce29415a0a8fc610690b6e9d91b64d6e36cfcc)
[#7198](https://github.com/npm/npm/issues/7198) When setting up dependencies
to be shared via `npm link <package>`, only run the lifecycle scripts during
the original link, not when running `npm link <package>` or `npm install
--link` against them. ([@murgatroid99](https://github.com/murgatroid99))
* [`422da66`](https://github.com/npm/npm/commit/422da664bd3ce71313da447f170507faf5aac46a)
[#9108](https://github.com/npm/npm/issues/9108) Clear up minor confusion
around wording in `bundledDependencies` section of `package.json` docs.
([@derekpeterson](https://github.com/derekpeterson))
* [`6b42d99`](https://github.com/npm/npm/commit/6b42d99460885e715772d3487b1c548d2bc8a738)
[#9146](https://github.com/npm/npm/issues/9146) Include scripts that run for
`preversion`, `version`, and `postversion` in the section for lifecycle
scripts rather than the generic `npm run-script` output.
([@othiym23](https://github.com/othiym23))

#### NOPE, NOT DONE WITH DEPENDENCY UPDATES

* [`91a48bb`](https://github.com/npm/npm/commit/91a48bb5ef5a990781c86f8b69b8a32cf4fac2d9)
`chmodr@1.0.1`: Ignore symbolic links when recursively changing mode, just
like the Unix command. ([@isaacs](https://github.com/isaacs))
* [`4bbc86e`](https://github.com/npm/npm/commit/4bbc86e3825e2eee9a8758ba26bdea0cb6a2581e)
`nock@2.10.0` ([@pgte](https://github.com/pgte))

### v2.13.4 (2015-07-30):

#### JULY ENDS ON A FAIRLY QUIET NOTE

Hey everyone! I hope you've had a great week. We're having a fairly small
release this week while we wrap up Teams and Orgs (or, as we've taken to calling
it internally, _Teens and Orcs_).

In other exciting news, a bunch of us are gonna be at the [Node.js Collaborator
Summit](https://github.com/nodejs/summit/issues/1), and you can also find us at
[wafflejs](https://wafflejs.com/) on Wednesday. Hopefully we'll be seeing some
of you there. :)

#### THE PATCH!!!

So here it is. The patch. Hope it helps. (Thanks,
[@ktarplee](https://github.com/ktarplee)!)

* [`2e58c48`](https://github.com/npm/npm/commit/2e58c4819e3cafe4ae23ab7f4a520fe09258cfd7)
[#9033](https://github.com/npm/npm/pull/9033) `npm version` now works on git
submodules
([@ktarplee](https://github.com/ktarplee))

#### OH AND THERE'S A DEV DEPENDENCIES UPDATE

Hooray.

* [`d204683`](https://github.com/npm/npm/commit/d2046839d471322e61e3ceb0f00e78e5c481f967)
nock@2.9.1
([@pgte](https://github.com/pgte))

### v2.13.3 (2015-07-23):

#### I'M SAVING THE GOOD JOKES FOR MORE INTERESTING RELEASES
Expand Down Expand Up @@ -29,12 +303,10 @@ There's a couple of doc updates! The last one might be interesting.
settings.
([@SimenB](https://github.com/SimenB))
* [`cf09e75`](https://github.com/npm/npm/commit/cf09e754931739af32647d667b671e72a4c79081)

[#9022](https://github.com/npm/npm/issues/9022) Document the `"access"` field
in `"publishConfig"`. Did you know you don't need to use `--access=public`
when publishing scoped packages?! Just put it in your `package.json`!
Go refresh yourself on scopes packages by [checking our docs](https://docs.npmjs.com/getting-started/scoped-packages) on them.

([@boennemann](https://github.com/boennemann))
* [`bfd73da`](https://github.com/npm/npm/commit/bfd73da33349cc2afb8278953b2ae16ea95023de)
[#9013](https://github.com/npm/npm/issues/9013) fixed typo in changelog
Expand Down
Loading

0 comments on commit d15ba80

Please sign in to comment.