Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Canary #49

Closed
wants to merge 24 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
5 changes: 5 additions & 0 deletions AUTHORS
Original file line number Diff line number Diff line change
Expand Up @@ -591,3 +591,8 @@ Darryl Pogue <dvpdiner2@gmail.com>
Rick Schubert <rickschubert@gmx.de>
Daniel W <dwilches@gmail.com>
XhmikosR <xhmikosr@gmail.com>
Martin Kühl <mkhl@users.noreply.github.com>
Valentin Ouvrard <valentin210594@gmail.com>
Noah Benham <noahbenham@users.noreply.github.com>
Brian Olore <brian@olore.net>
Mat Warger <mwarger@gmail.com>
89 changes: 89 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,92 @@
## v6.4.0 (2018-09-08):

### NEW FEATURES

* [`6e9f04b0b`](https://github.com/npm/cli/commit/6e9f04b0baed007169d4e0c341f097cf133debf7)
[npm/cli#8](https://github.com/npm/cli/pull/8)
Search for authentication token defined by environment variables by preventing
the translation layer from env variable to npm option from breaking
`:_authToken`.
([@mkhl](https://github.com/mkhl))
* [`84bfd23e7`](https://github.com/npm/cli/commit/84bfd23e7d6434d30595594723a6e1976e84b022)
[npm/cli#35](https://github.com/npm/cli/pull/35)
Stop filtering out non-IPv4 addresses from `local-addrs`, making npm actually
use IPv6 addresses when it must.
([@valentin2105](https://github.com/valentin2105))
* [`792c8c709`](https://github.com/npm/cli/commit/792c8c709dc7a445687aa0c8cba5c50bc4ed83fd)
[npm/cli#31](https://github.com/npm/cli/pull/31)
configurable audit level for non-zero exit
`npm audit` currently exits with exit code 1 if any vulnerabilities are found of any level.
Add a flag of `--audit-level` to `npm audit` to allow it to pass if only vulnerabilities below a certain level are found.
Example: `npm audit --audit-level=high` will exit with 0 if only low or moderate level vulns are detected.
([@lennym](https://github.com/lennym))

### BUGFIXES

* [`d81146181`](https://github.com/npm/cli/commit/d8114618137bb5b9a52a86711bb8dc18bfc8e60c)
[npm/cli#32](https://github.com/npm/cli/pull/32)
Don't check for updates to npm when we are updating npm itself.
([@olore](https://github.com/olore))

### DEPENDENCY UPDATES

A very special dependency update event! Since the [release of
`node-gyp@3.8.0`](https://github.com/nodejs/node-gyp/pull/1521), an awkward
version conflict that was preventing `request` from begin flattened was
resolved. This means two things:

1. We've cut down the npm tarball size by another 200kb, to 4.6MB
2. `npm audit` now shows no vulnerabilities for npm itself!

Thanks, [@rvagg](https://github.com/rvagg)!

* [`866d776c2`](https://github.com/npm/cli/commit/866d776c27f80a71309389aaab42825b2a0916f6)
`request@2.87.0`
([@simov](https://github.com/simov))
* [`f861c2b57`](https://github.com/npm/cli/commit/f861c2b579a9d4feae1653222afcefdd4f0e978f)
`node-gyp@3.8.0`
([@rvagg](https://github.com/rvagg))
* [`32e6947c6`](https://github.com/npm/cli/commit/32e6947c60db865257a0ebc2f7e754fedf7a6fc9)
[npm/cli#39](https://github.com/npm/cli/pull/39)
`colors@1.1.2`:
REVERT REVERT, newer versions of this library are broken and print ansi
codes even when disabled.
([@iarna](https://github.com/iarna))
* [`beb96b92c`](https://github.com/npm/cli/commit/beb96b92caf061611e3faafc7ca10e77084ec335)
`libcipm@2.0.1`
([@zkat](https://github.com/zkat))
* [`348fc91ad`](https://github.com/npm/cli/commit/348fc91ad223ff91cd7bcf233018ea1d979a2af1)
`validate-npm-package-license@3.0.4`: Fixes errors with empty or string-only
license fields.
([@Gudahtt](https://github.com/Gudahtt))
* [`e57d34575`](https://github.com/npm/cli/commit/e57d3457547ef464828fc6f82ae4750f3e511550)
`iferr@1.0.2`
([@shesek](https://github.com/shesek))
* [`46f1c6ad4`](https://github.com/npm/cli/commit/46f1c6ad4b2fd5b0d7ec879b76b76a70a3a2595c)
`tar@4.4.6`
([@isaacs](https://github.com/isaacs))
* [`50df1bf69`](https://github.com/npm/cli/commit/50df1bf691e205b9f13e0fff0d51a68772c40561)
`hosted-git-info@2.7.1`
([@iarna](https://github.com/iarna))
([@Erveon](https://github.com/Erveon))
([@huochunpeng](https://github.com/huochunpeng))

### DOCUMENTATION

* [`af98e76ed`](https://github.com/npm/cli/commit/af98e76ed96af780b544962aa575585b3fa17b9a)
[npm/cli#34](https://github.com/npm/cli/pull/34)
Remove `npm publish` from list of commands not affected by `--dry-run`.
([@joebowbeer](https://github.com/joebowbeer))
* [`e2b0f0921`](https://github.com/npm/cli/commit/e2b0f092193c08c00f12a6168ad2bd9d6e16f8ce)
[npm/cli#36](https://github.com/npm/cli/pull/36)
Tweak formatting in repository field examples.
([@noahbenham](https://github.com/noahbenham))
* [`e2346e770`](https://github.com/npm/cli/commit/e2346e7702acccefe6d711168c2b0e0e272e194a)
[npm/cli#14](https://github.com/npm/cli/pull/14)
Used `process.env` examples to make accessing certain `npm run-scripts`
environment variables more clear.
([@mwarger](https://github.com/mwarger))

## v6.3.0 (2018-08-01):

This is basically the same as the prerelease, but two dependencies have been
Expand Down
8 changes: 8 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,14 @@ npm(1) -- a JavaScript package manager

[![Build Status](https://img.shields.io/travis/npm/cli/latest.svg)](https://travis-ci.org/npm/cli)

# NOTE: This is a "Canary" version of npm itself!

This version of npm is meant to be rapid-release and unstable, essentially
tracking `release-next` on the main npm repository (but not necessarily).

The code in this package might be experimental, unreviewed, or have specific
errors while adding other features.

## SYNOPSIS

This is just enough info to get you up and running.
Expand Down
3 changes: 3 additions & 0 deletions bin/npm-cli.js
Original file line number Diff line number Diff line change
Expand Up @@ -69,12 +69,15 @@
npm.command = 'help'
}

var isGlobalNpmUpdate = conf.global && ['install', 'update'].includes(npm.command) && npm.argv.includes('npm')

// now actually fire up npm and run the command.
// this is how to use npm programmatically:
conf._exit = true
npm.load(conf, function (er) {
if (er) return errorHandler(er)
if (
!isGlobalNpmUpdate &&
npm.config.get('update-notifier') &&
!unsupported.checkVersion(process.version).unsupported
) {
Expand Down
85 changes: 85 additions & 0 deletions doc/cli/npm-archive.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
npm-archive(1) -- Project-local dependency tarball archive
===================================

## SYNOPSIS

npm archive

## EXAMPLE

Make sure you have a package-lock and an up-to-date install:

```
$ cd ./my/npm/project
$ npm install
added 154 packages in 10s
$ ls | grep package-lock
```

Run `npm archive` in that project

```
$ npm archive
added 1964 packages in 4.103s
```

Commit the newly-created `archived-packages/` directory and the modified `package-lock.json`

```
$ git add package-lock.json archived-packages/
$ git commit -m 'misc: committing dependency archive'
```

Add a dependency as usual -- its archive will be automatically managed.

```
$ npm i aubergine
added 1 package from 1 contributor in 5s
$ git status
M package-lock.json
M package.json
?? archived-packages/aubergine-1.0.1-46c5742af.tar
$ git add archived-packages package-lock.json package.json
$ git commit -m 'deps: aubergine@1.0.1'
```

The inverse happens when a package is removed.

You can then install normally using `npm-ci(1)` or `npm-install(1)`!

```
$ npm ci
added 1965 packages in 10.5s
```

Finally, you can remove and disable the archive, restoring `package-lock.json` its normal state, by using `npm-unarchive(1)`.

```
$ npm unarchive

```
## DESCRIPTION

This command generates a committable archive of your project's dependencies. There are several benefits to this:

1. Offline installs without having to warm up npm's global cache
2. No need for configuring credentials for dependency fetching
3. Much faster installs vs standard CI configurations
4. No need to have a `git` binary present in the system
5. Reduced download duplication across teams

`npm-archive` works by generating tarballs for your dependencies, unzipping them, and storing them in a directory called `archived-packages/`. It then rewrites your `package-lock.json` (or `npm-shrinkwrap.json`) such that the `resolved` field on those dependencies refers to the path in `archived-packages/`.

npm will detect these `file:` URLs and extract package data directly from them instead of the registry, git repositories, etc.

When installing or removing dependencies, npm will look for `archived-packages/` and switch to an "archive mode", which will automatically update archive files and information on every relevant npm operation. Remember to commit the directory, not just `package-lock.json`!

As an added benefit, `npm-archive` will generate tarballs for all your git dependencies and pre-pack them, meaning npm will not need to invoke the git binary or go through other heavy processes git dependencies go to -- making git deps as fast as registry dependencies when reinstalling from an archive.

If specific tarballs are removed from the archive, npm will fall back to standard behavior for fetching dependencies: first checking its global cache, then going out and fetching the dependency from its origin. To regenerate the tarball for a package after removing it, just reinstall the package while in archive mode.

## SEE ALSO

* npm-unarchive(1)
* npm-package-locks(5)
* npm-ci(1)
25 changes: 25 additions & 0 deletions doc/cli/npm-unarchive.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
npm-unarchive(1) -- Restore project to a non-archived state.
===================================

## SYNOPSIS

npm unarchive

## EXAMPLE

```
$ npm unarchive
archive information and tarballs removed
```
## DESCRIPTION

This command undoes the work of `npm-archive(1)` by doing the following:

1. Removes the `archived-packages/` directory.
2. Restores the entires in `package-lock.json` to use non-`file:` resolved URLs and updates their `integrity` fields.
3. Removes `node_modules/` to prevent archive-related changes from affecting future installs.

## SEE ALSO

* npm-archive(1)
* npm-package-locks(5)
16 changes: 8 additions & 8 deletions doc/files/package.json.md
Original file line number Diff line number Diff line change
Expand Up @@ -366,15 +366,15 @@ command will be able to find you.

Do it like this:

"repository" :
{ "type" : "git"
, "url" : "https://github.com/npm/cli.git"
}
"repository": {
"type" : "git",
"url" : "https://github.com/npm/cli.git"
}

"repository" :
{ "type" : "svn"
, "url" : "https://v8.googlecode.com/svn/trunk/"
}
"repository": {
"type" : "svn",
"url" : "https://v8.googlecode.com/svn/trunk/"
}

The URL should be a publicly available (perhaps read-only) url that can be handed
directly to a VCS program without any modification. It should not be a url to an
Expand Down
24 changes: 22 additions & 2 deletions doc/misc/npm-config.md
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,26 @@ When "true" submit audit reports alongside `npm install` runs to the default
registry and all registries configured for scopes. See the documentation
for npm-audit(1) for details on what is submitted.

### audit-level

* Default: `"low"`
* Type: `'low'`, `'moderate'`, `'high'`, `'critical'`

The minimum level of vulnerability for `npm audit` to exit with
a non-zero exit code.

### archive

* Default: true
* Type: Boolean

If false (with `--no-archive`), an existing `archived-packages/` directory
will not be modified on save.

This flag has no effect if the archive directory does not alredy exist.

See also npm-archive(1).

### auth-type

* Default: `'legacy'`
Expand Down Expand Up @@ -331,8 +351,8 @@ Install `dev-dependencies` along with packages.
Indicates that you don't want npm to make any changes and that it should
only report what it would have done. This can be passed into any of the
commands that modify your local installation, eg, `install`, `update`,
`dedupe`, `uninstall`. This is NOT currently honored by network related
commands, eg `dist-tags`, `owner`, `publish`, etc.
`dedupe`, `uninstall`. This is NOT currently honored by some network related
commands, eg `dist-tags`, `owner`, etc.

### editor

Expand Down
4 changes: 3 additions & 1 deletion doc/misc/npm-scripts.md
Original file line number Diff line number Diff line change
Expand Up @@ -143,7 +143,9 @@ The package.json fields are tacked onto the `npm_package_` prefix. So,
for instance, if you had `{"name":"foo", "version":"1.2.5"}` in your
package.json file, then your package scripts would have the
`npm_package_name` environment variable set to "foo", and the
`npm_package_version` set to "1.2.5"
`npm_package_version` set to "1.2.5". You can access these variables
in your code with `process.env.npm_package_name` and
`process.env.npm_package_version`, and so on for other fields.

### configuration

Expand Down
3 changes: 0 additions & 3 deletions doc/spec/file-specifiers.md
Original file line number Diff line number Diff line change
Expand Up @@ -55,9 +55,6 @@ note for the `npm-shrinkwrap.json` as it means the specifier there will
be different then the original `package.json` (where it was relative to that
`package.json`).

# No, for `file:` type specifiers, we SHOULD shrinkwrap. Other symlinks we
# should not. Other symlinks w/o the link spec should be an error.

When shrinkwrapping file specifiers, the contents of the destination
package's `node_modules` WILL NOT be included in the shrinkwrap. If you want to lock
down the destination package's `node_modules` you should create a shrinkwrap for it
Expand Down
63 changes: 63 additions & 0 deletions lib/archive.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
'use strict'

const BB = require('bluebird')

const MyPrecious = require('libprecious')
const npm = require('./npm.js')
const npmlog = require('npmlog')
const pacoteOpts = require('./config/pacote.js')
const path = require('path')

const statAsync = BB.promisify(require('fs').stat)

archive.usage = 'npm archive\nnpm archive restore'

archive.completion = (cb) => cb(null, [])

MyPrecious.PreciousConfig.impl(npm.config, {
get: npm.config.get,
set: npm.config.set,
toPacote (moreOpts) {
return pacoteOpts(moreOpts)
}
})

module.exports = archive
function archive (args, cb) {
BB.resolve(_archive()).nodeify(cb)
}

function _archive (args) {
// TODO - is this the right path?...
return statAsync(path.join(npm.prefix, 'archived-packages'))
.catch((err) => { if (err.code !== 'ENOENT') { throw err } })
.then((stat) => {
const archiveExists = stat && stat.isDirectory()
return new MyPrecious({
config: npm.config,
log: npmlog
})
.run()
.then((details) => {
if (!archiveExists) {
npmlog.notice('archive', 'created new package archive as `archived-packages/`. Future installations will prioritize packages in this directory.')
}
const clauses = []
if (!details.pkgCount && !details.removed) {
clauses.push('done')
}
if (details.pkgCount) {
clauses.push(`archived ${details.pkgCount} package${
details.pkgCount === 1 ? '' : 's'
}`)
}
if (details.removed) {
clauses.push(`cleaned up ${details.pkgCount} archive${
details.removed === 1 ? '' : 's'
}`)
}
const time = details.runTime / 1000
console.error(`${clauses.join(' and ')} in ${time}s`)
})
})
}
Loading