Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deps: upgrade npm to 6.1.0 #20190

Closed
wants to merge 1 commit into from
Closed

deps: upgrade npm to 6.1.0 #20190

wants to merge 1 commit into from

Conversation

iarna
Copy link
Member

@iarna iarna commented Apr 21, 2018

Checklist
Where this should land
  • Node 10
  • Node 8
Breaking changes

This is a major release, so it does include breaking changes. They are, however, very minor and important:

  • npm update and npm outdated now will not suggest versions greater than the version tagged as latest. This is in alignment with the use of tags for release trains or experimental versions, while not requiring the use of prerelease version numbers.
  • npm install will now do its best to avoid versions that are marked as deprecated. That is makes npm deprecate similar to how the gem yank command works in ruby. If you specifically ask for a deprecated version you will still get it.
  • npm will now report that it no longer supports node v4 and node v7.
Notable changes
  • Flattening npm's dependency tree to take advantage of the MacOS installer rewrite will fix npm causes the windows installer (.msi) to almost reach MAX_PATH (and using the .zip can easily exceed it) #19449
  • npm init now can take an argument and it will run a matching create-… script from the registry. An amalgam of npx and yarn create.
  • npm audit provides a vulnerability scanner. The registry side of this will be available soon. Details are discussed in the CHANGELOG
  • npm audit fix to help users automatically fix vulnerabilities found with npm audit.
  • Webhook management is now included with the cli as the npm hook command. Previously this functionality was found in the module wombat. With webhooks you can request notification whenever a package updates.
  • Rewrite binaries less. Previously if we found a CRLF in a binary that had a shebang then we would convert the entire file to unix line endings. With this change we only convert the shebang line itself.
  • Eliminate use of new Buffer in npm
  • Rewritten and prettier npm view
  • npm pack and npm publish previews when running them with --dry-run
  • npm ci, new, faster, lock-file only install mode and npm cit to install and test
  • Automatic git merge conflict resolution on conflicts in lock-files.
  • A slew of bug fixes are stabilizing lock-files when using partial installs (eg, --only=production, --no-optional, etc)
Changelogs

@iarna iarna added the npm Issues and PRs related to the npm client dependency or the npm registry. label Apr 21, 2018
@ChALkeR
Copy link
Member

ChALkeR commented Apr 21, 2018

/cc @jasnell

@Trott Trott added this to the 10.0.0 milestone Apr 21, 2018
@Trott Trott added the v10.x label Apr 21, 2018
Copy link
Member

@Trott Trott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rubber-stamp LGTM if Ci is green. Probably want to run CITGM too?

@jasnell
Copy link
Member

jasnell commented Apr 21, 2018

This is likely semver-major.
Without explicit TSC sign off it will not land in 10.0.0.

@Trott
Copy link
Member

Trott commented Apr 21, 2018

@nodejs/tsc I'm labeling this tsc-review. Please indicate endorsement or opposition to landing this in 10.0.0 with a 👍 or a 👎 on this comment. Of course, feel free to leave a comment yourself if you want to explain your position or ask a question.

[EDIT: Just to make sure there's no confusion, 👍 means you approve landing this in 10.0.0 and 👎 means you are opposed to it. Heck, let's throw in 😕 for anyone who wants to indicate they have no opinion either way, basically abstaining.]

@ChALkeR
Copy link
Member

ChALkeR commented Apr 21, 2018

@Trott it should be noted that this is not 6.0.0 yet — it looks like 6.0.0 hasn't been tagged.
See https://github.com/npm/npm/releases/tag/v6.0.0-next.2

@iarna Is this WiP? What's the ETA for 6.0.0?

@iarna
Copy link
Member Author

iarna commented Apr 21, 2018

@ChALkeR Our plans over the last several months has been to only badge 6.0.0 in conjunction with the Node 10 release, assuming npm6 lands in Node 10. The version badged as 6.0.0 and tagged as latest will otherwise be exactly the same as 6.0.0-next.2. (I have a sneaking suspicion that our plans were not communicated and coordinated where I thought they were, so if this is the first you all are hearing of this, I appologize.)

@MylesBorins
Copy link
Contributor

@iarna what are the semver major changes from 5 -> 6

Is it possible that this could be semver minor? If so we could also backport to 8.x

@iarna
Copy link
Member Author

iarna commented Apr 21, 2018

@MylesBorins I think I answered all these questions in opening:

The major changes are described under "breaking changes" in the summary. They are quite minor but they aren't semver minor. I'm of the opinion that they're valuable enough that we should lobby to include them in Node 8, but YMMV.

And if you look under "where should this land" I said:

Node 8; … If we all end up deciding that's not the way to go, I do have an alternate release line with everything but the breaking changes here that I can PR for it.

There's a 5.10.0 rc currently published, but I'd want to do a 5.11 with the non-breaking things from 6 if it's decided that Node 8 can't take 6.

@mcollina
Copy link
Member

Considering the status of things, +1 to fast-track with CI and CITGM ok.

@ChALkeR
Copy link
Member

ChALkeR commented Apr 21, 2018

Our plans over the last several months has been to only badge 6.0.0 in conjunction with the Node 10 release, assuming npm6 lands in Node 10. The version badged as 6.0.0 and tagged as latest will otherwise be exactly the same as 6.0.0-next.2.

@iarna Yes, that looks good to me then. Huge +1 to getting npm@6 into 10.0.0.
That said, I did not do a proper review of this PR — don't consider this comment as such.

+1 to fast-track

@mcollina I don't think this could be fast-tracked, could it?

@mcollina
Copy link
Member

If we plan to release on Tuesday 24th, there won’t be 72 hours (weekend time) to be able to issue another rc with this in.

If we want to have this in 10.0.0, this should have landed weeks ago. The longer we wait the worse it’ll get.

We need TSC approval anyway.

@addaleax
Copy link
Member

As I understand #20121 (comment), we essentially want a @nodejs/tsc vote for this.

I’m okay with landing this in 10.0.0, but yes, it’s way past the deadline and not exactly a trivial change, so I think it would be a good option to include it in the first semver-minor release, given how small the actual breakages here are.

@jasnell
Copy link
Member

jasnell commented Apr 21, 2018

No, this pr cannot be fast tracked in the normal sense. It's too large, needs more review, and adequate consideration. I'm leaning strongly against rushing it in to 10.0.0 and potentially landing it as a minor in a 10.x minor later.

@cjihrig
Copy link
Contributor

cjihrig commented Apr 21, 2018

+1 to landing it in a semver minor.

@joyeecheung
Copy link
Member

I am leaning towards landing it as semver minor as well

@mcollina
Copy link
Member

I’m also +1 to landing as a minor after 10.0.0 is released as well.

@MylesBorins
Copy link
Contributor

MylesBorins commented Apr 21, 2018 via email

@BridgeAR BridgeAR mentioned this pull request Apr 22, 2018
@TimothyGu
Copy link
Member

+1 on landing this as semver-minor.

@mhdawson
Copy link
Member

mhdawson commented Apr 23, 2018

+1 on landing this as semver-minor after the release.

@jasnell jasnell removed this from the 10.0.0 milestone Apr 23, 2018
@jasnell
Copy link
Member

jasnell commented Apr 23, 2018

Removing this from the 10.0.0 milestone.

@Trott
Copy link
Member

Trott commented Apr 23, 2018

Seems like there's consensus on landing this in 10.x but not 10.0. Removing tsc-review label. Can re-add if there are advocates for landing in 10.0 and not a subsequent 10.x release.

@Trott Trott removed the tsc-review label Apr 23, 2018
@BridgeAR BridgeAR added the semver-minor PRs that contain new features and should be released in the next minor version. label Apr 24, 2018
@iarna iarna closed this May 25, 2018
iarna added a commit that referenced this pull request May 25, 2018
PR-URL: #20190
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
targos pushed a commit that referenced this pull request May 25, 2018
PR-URL: #20190
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
@MylesBorins MylesBorins mentioned this pull request May 29, 2018
MylesBorins added a commit that referenced this pull request May 29, 2018
Notable Changes:

* **deps**:
  - upgrade npm to 6.1.0 (Rebecca Turner)
    #20190
* **fs**:
  - fix reads with pos \> 4GB (Mathias Buus)
    #21003
* **net**:
  - new option to allow IPC servers to be readable and writable
    by all users (Bartosz Sosnowski)
    #19472
* **stream**:
  - fix removeAllListeners() for Stream.Readable to work as expected
    when no arguments are passed (Kael Zhang)
    #20924
* **Added new collaborators**
  - John-David Dalton (https://github.com/jdalton)

PR-URL: #21011
MylesBorins added a commit that referenced this pull request May 29, 2018
Notable Changes:

* **deps**:
  - upgrade npm to 6.1.0 (Rebecca Turner)
    #20190
* **fs**:
  - fix reads with pos \> 4GB (Mathias Buus)
    #21003
* **net**:
  - new option to allow IPC servers to be readable and writable
    by all users (Bartosz Sosnowski)
    #19472
* **stream**:
  - fix removeAllListeners() for Stream.Readable to work as expected
    when no arguments are passed (Kael Zhang)
    #20924
* **Added new collaborators**
  - John-David Dalton (https://github.com/jdalton)

PR-URL: #21011
MylesBorins added a commit that referenced this pull request May 29, 2018
Notable Changes:

* **deps**:
  - upgrade npm to 6.1.0 (Rebecca Turner)
    #20190
* **fs**:
  - fix reads with pos \> 4GB (Mathias Buus)
    #21003
* **net**:
  - new option to allow IPC servers to be readable and writable
    by all users (Bartosz Sosnowski)
    #19472
* **stream**:
  - fix removeAllListeners() for Stream.Readable to work as expected
    when no arguments are passed (Kael Zhang)
    #20924
* **Added new collaborators**
  - John-David Dalton (https://github.com/jdalton)

PR-URL: #21011
hashseed pushed a commit to v8/node that referenced this pull request Jun 6, 2018
PR-URL: nodejs#20190
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
princjef pushed a commit to princjef/node that referenced this pull request Jun 12, 2018
PR-URL: nodejs#20190
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
MylesBorins pushed a commit that referenced this pull request Jun 14, 2018
Backport-PR-URL: #21302
PR-URL: #20190
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
@MylesBorins MylesBorins mentioned this pull request Jul 9, 2018
rvagg pushed a commit that referenced this pull request Aug 16, 2018
Backport-PR-URL: #21302
PR-URL: #20190
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. npm Issues and PRs related to the npm client dependency or the npm registry. semver-minor PRs that contain new features and should be released in the next minor version.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

npm causes the windows installer (.msi) to almost reach MAX_PATH (and using the .zip can easily exceed it)