ab80a7cf0 npm-user-validate@1.0.1
- dep update to resolve security issue GHSA-xgh6-85xh-479p
6b2ab9d53 har-validator@5.1.5
- dep update to resolve security issue SNYK-JS-AJV-584908

BUG FIXES

9262e8c88 #1575 npm install --dev deprecation message (@sandratatarevicova)
765cfe0bc #1658 remove unused broken require (@aduh95)
4e28de79a #1663 Do not send user secret in the referer header (@assapir)

DOCUMENTATION

8abdf30c9 #1572 docs: add missing metadata in semver page (@tripu)
8cedcca46 #1614 Node-gyp supports both Python and legacy Python (@cclauss)

DEPENDENCIES

a303b75fd update-notifier@2.5.0
c48600832 npm-registry-fetch@4.0.7
a6e9fc4df meant@1.0.2:

BUG FIXES

de5108836 #784 npm explore spawn shell correctly (@jasisk)
36e6c01d3 git tag handling regression on shrinkwrap (@claudiahdz)
1961c9369 #288 Fix package id in shrinkwrap lifecycle step output (@bz2)
87888892a #1009 gracefully handle error during npm install (@danielleadams)
6fe2bdc25 #1547 npm ls --parseable --long output (@ruyadorno)

DEPENDENCIES

2d78481c7 update mkdirp on tacks (@claudiahdz)
4e129d105 uninstall npm-registry-couchapp (@claudiahdz)
8e1869e27 update marked dev dep (@claudiahdz)
6a6151f37 libnpx@10.2.4 (@claudiahdz)
dc21422eb bin-links@1.1.8 (@claudiahdz)
d341f88ce gentle-fs@2.3.1 (@claudiahdz)
3e168d49b libcipm@4.0.8 (@claudiahdz)
6ae942a51 npm-audit-report@1.3.3 (@claudiahdz)
6a35e3dee npm-lifecycle@3.1.5 (@claudiahdz)

BUG FIXES

a9857b8f6 chore: remove auth info from logs (@claudiahdz)
b7ad77598 #1416 fix: wrong npm doctor command result (@vanishcode)

DEPENDENCIES

94eca6377 npm-registry-fetch@4.0.5 (@claudiahdz)
c49b6ae28 #1418 spdx-license-ids@3.0.5 (@kemitchell)

DOCUMENTATION

2e052984b #1459 chore(docs): fixed links to cli commands (@claudiahdz)
0ca3509ca #1283 Update npm-link.md (@peterfich)
3dd429e9a #1377 Add note about dropped * filenames (@maxwellgerber)
9a2e2e797 #1429 Fix typo (@seanpoulter)

BUG FIXES

33ec41f18 #758 fix: relativize file links when inflating shrinkwrap (@jsnajdr)
94ed456df #1162 fix: npm init help output (@mum-never-proud)

DEPENDENCIES

5587ac01f npm-registry-fetch@4.0.4
- fc5d94c39 fix: removed default timeout
07a4d8884 graceful-fs@4.2.4
8228d1f2e mkdirp@0.5.5
e6d208317 nopt@4.0.3

DEPENDENCIES

Bump minimist@1.2.5 transitive dep to resolve security issue
- 9c554fd8c update-notifier@2.5.0
- bump deep-extend@1.2.5
- bump deep-extend@0.6.0
- bump is-ci@1.2.1
- bump is-retry-allowed@1.2.0
- bump rc@1.2.8
- bump registry-auth-token@3.4.0
- bump widest-line@2.0.1
136832dca mkdirp@0.5.4
8bf99b2b5 #1053 deps: updates term-size to use signed binary
- d2f08a1bdb (@rvagg)

DOCUMENTATION

4ad221487 #1020 docs(teams): updated team docs to reflect MFA workflow (@blkdm0n)
4a31a4ba2 #1034 docs: cleanup (@ruyadorno)
0eac801cd #1013 docs: fix links to cli commands (@alenros)
7d8e5b99c #755 docs: correction to npm update -g behaviour (@johnkennedy9147)

DEPENDENCIES

e11167646 mkdirp@0.5.3
- c5b97d17d fix: bump minimist dep to resolve security issue (@isaacs)
c50d679c6 rimraf@2.7.1
a2de99ff9 npm-registry-mock@1.3.1
217debeb9 npm-registry-couchapp@2.7.4

DOCUMENTATION

f9248c0be #730 chore(docs): update unpublish docs & policy reference (@nomadtechie, @mikemimik)

DEPENDENCIES

909cc3918 hosted-git-info@2.8.8 (@darcyclarke)
- 5038b1891 fix: regression in old node versions w/ respect to url.URL implmentation
9204ffa58 npm-profile@4.0.4 (@isaacs)
- 6bcf0860a fix: treat non-http/https login urls as invalid
0365d39bd glob@7.1.6 (@isaacs)
dab030536 node-gyp@5.1.0 (@rvagg)

6.14.1 (2020-02-26)

303e5c11e hosted-git-info@2.8.7 Fixes a regression where scp-style git urls are passed to the WhatWG URL parser, which does not handle them properly. (@isaacs)

FEATURES

30f170877 #731 add support for multiple funding sources (@ljharb & @ruyadorno)

BUG FIXES

55916b130 #508 fix: check npm.config before accessing its members (@kaiyoma)
7d0cd65b2 #733 fix: access grant with unscoped packages (@netanelgilad)
28c3d40d6, 0769c5b20 #945, #697 fix: allow new major versions of node to be automatically considered "supported" (@isaacs, @ljharb)

DEPENDENCIES

6f39e93 hosted-git-info@2.8.6 (@darcyclarke)
- fix: passwords & usernames are escaped properly in git deps (@stevenhilder)
f14b594ee chownr@1.1.4 (@isaacs)
77044150b npm-packlist@1.4.8 (@isaacs)
1d112461a npm-registry-fetch@4.0.3 (@isaacs)
- ba8b4fe fix: always bypass cache when ?write=true
a47fed760 readable-stream@3.6.0
- 3bbf2d6 fix: babel's "loose mode" class transform enbrittles BufferList (@ljharb)

DOCUMENTATION

284c1c055, fbb5f0e50 #729 update lifecycle hooks docs (@seanhealy, @mikemimik)
1c272832d #787 fix: trademarks typo (@dnicolson)
f6ff41776 #936 fix: postinstall example (@ajaymathur)
373224b16 #939 fix: bad links in publish docs (@vit100)

MISCELLANEOUS

85c79636d #736 add script to update dist-tags (@mikemimik)

BUG FIXES

7dbb91438 #655 Update CI detection cases (@isaacs)

DEPENDENCIES

0fb1296c7 libnpx@10.2.2 (@mikemimik)
c9b69d569 node-gyp@5.0.7 (@mikemimik)
e8dbaf452 bin-links@1.1.7 (@mikemimik)
- #613 Fixes bin entry for package

DEPENDENCIES

6dba897a1 pacote@9.5.12:
- d2f4176 fix(git): Do not drop uid/gid when executing in root-owned directory (@isaacs)

BUG FIXES

fd0a802ec #550 Fix cache location for npm ci (@zhenyavinogradov)
4b30f3cca #648 fix(version): using 'allow-same-version', git commit --allow-empty and git tag -f (@rhengles)

TESTING

e16f68d30 test(ci): add failing cache config test (@ruyadorno)
3f009fbf2 #659 test: fix bin-overwriting test on Windows (@isaacs)
43ae0791f #601 ci: Allow builds to run even if one fails (@XhmikosR)
4a669bee4 #603 Remove the unused appveyor.yml (@XhmikosR)
9295046ac #600 ci: switch to actions/checkout@v2 (@XhmikosR)

DOCUMENTATION

f2d770ac7 #569 fix netlify publish path config (@claudiahdz)
462cf0983 #627 update gatsby dependencies (@felixonmars)
6fb5dbb72 #532 docs: clarify usage of global prefix (@jgehrcke)

BUGFIXES

320ac9aee npm/bin-links#12 npm/gentle-fs#7 Do not remove global bin/man links inappropriately (@isaacs)

DEPENDENCIES

52fd21061 gentle-fs@2.3.0 (@isaacs)
d06f5c0b0 bin-links@1.1.6 (@isaacs)

DEPENDENCIES

19ce061a2 bin-links@1.1.5 Properly normalize, sanitize, and verify bin entries in package.json.
59c836aae npm-packlist@1.4.7
fb4ecd7d2 pacote@9.5.11
- 5f33040 #476 npm/pacote#22 npm/pacote#14 fix: Do not drop perms in git when not root (isaacs, @darcyclarke)
- 6f229f7 sanitize and normalize package bin field (isaacs)
1743cb339 read-package-json@2.1.1

BUG FIXES

4429645b3 #546 fix docs target typo (@richardlau)
867642942 #142 fix(packageRelativePath): fix 'where' for file deps (@larsgw)
d480f2c17 #527 Revert "windows: Add preliminary WSL support for npm and npx" (@craigloewen-msft)
e4b97962e #504 remove unnecessary package.json read when reading shrinkwrap (@Lighting-Jack)
1c65d26ac #501 fix(fund): open url for string shorthand (@ruyadorno)
ae7afe565 #263 Don't log error message if git tagging is disabled (@woppa684)
4c1b16f6a #182 Warn the user that it is uninstalling npm-install (@Hoidberg)

BUG FIXES

938d6124d #472 fix(fund): support funding string shorthand (@ruyadorno)
b49c5535b #471 should not publish tap-snapshot folder (@ruyadorno)
3471d5200 #253 Add preliminary WSL support for npm and npx (@infinnie)
3ef295f23 #486 print quick audit report for human output (@isaacs)

TESTING

dbbf977ac #278 added workflow to trigger and run benchmarks (@mikemimik)
b4f5e3825 #457 feat(docs): adding tests and updating docs to reflect changes in registry teams API. (@nomadtechie)
454c7dd60 #456 fix git configs for git 2.23 and above (@isaacs)

DOCUMENTATION

b8c1576a4 30b013ae8 26c1b2ef6 9f943a765 c0346b158 8e09d5ad6 4a2f551ee 87d67258c 5c3b32722 b150eaeff 7555a743c b89423e2f #463 #285 #268 #232 #485 #453 docs cleanup: typos, styling and content (@claudiahdz) (@XhmikosR) (@mugli) (@brettz9) (@mkotsollaris)

DEPENDENCIES

661d86cd2 make-fetch-happen@5.0.2 (@claudiahdz)

NEW FEATURES

4414b06d9 #273 add fund command (@ruyadorno)

DOCUMENTATION

ae4c74d04 #274 migrate existing docs to gatsby (@claudiahdz)
4ff1bb180 #277 updated documentation copy (@oletizi)

BUG FIXES

e4455409f #281 delete ps1 files on package removal (@NoDocCat)
cd14d4701 #279 update supported node list to remove v6.0, v6.1, v9.0 - v9.2 (@ljharb)

DEPENDENCIES

a37296b20 pacote@9.5.9
d3cb3abe8 read-cmd-shim@1.0.5

TESTING

688cd97be #272 use github actions for CI (@JasonEtco)
9a2d8af84 #240 Clean up some flakiness and inconsistency (@isaacs)

BUG FIXES

6508e833d #269 add node v13 as a supported version (@ljharb)
b6588a8f7 #265 Fix regression in lockfile repair for sub-deps (@feelepxyz)
d5dfe57a1 #266 resolve circular dependency in pack.js (@addaleax)

DEPENDENCIES

73678bb59 chownr@1.1.3
4b76926e2 graceful-fs@4.2.3
c691f36a9 libcipm@4.0.7
5e1a14975 npm-packlist@1.4.6
c194482d6 npm-registry-fetch@4.0.2
bc6a8e0ec tar@4.4.1
4dcca3cbb uuid@3.3.3

6.12.0 (2019-10-08):

Now npm ci runs prepare scripts for git dependencies, and respects the --no-optional argument. Warnings for engine mismatches are printed again. Various other fixes and cleanups.

BUG FIXES

890b245dc #252 ci: add dirPacker to options (@claudiahdz)
f3299acd0 #257 npm.community#4792 warn message on engine mismatch (@ruyadorno)
bbc92fb8f #259 npm.community#10288 Fix figgyPudding error in npm token (@benblank)
70f54dcb5 #241 doctor: Make OK more consistent (@gemal)

FEATURES

ed993a29c #249 Add CI environment variables to user-agent (@isaacs)
f6b0459a4 #248 Add option to save package-lock without formatting Adds a new config --format-package-lock, which defaults to true. (@bl00mber)

DEPENDENCIES

0ca063c5d npm-lifecycle@3.1.4:
- fix: filter functions and undefined out of makeEnv (@isaacs)
5df6b0ea2 libcipm@4.0.4:
- fix: pack git directories properly (@claudiahdz)
- respect no-optional argument (@cruzdanilo)
7e04f728c tar@4.4.12
5c380e5a3 stringify-package@1.0.1 (@isaacs)
62f2ca692 node-gyp@5.0.5 (@isaacs)
0ff0ea47a npm-install-checks@3.0.2 (@isaacs)
f46edae94 hosted-git-info@2.8.5 (@isaacs)

TESTING

44a2b036b #262 fix root-ownership race conditions in meta-test (@isaacs)

6.11.3 (2019-09-03):

Fix npm ci regressions and npm outdated depth.

BUG FIXES

235ed1d28 #239 Don't override user specified depth in outdated Restores ability to update packages using --depth as suggested by npm audit. (@G-Rath)
1fafb5151 #242 npm.community#9586 Revert "install: do not descend into directory deps' child modules" (@isaacs)
cebf542e6 #243 npm.community#9720 ci: pass appropriate configs for file/dir modes (@isaacs)

DEPENDENCIES

e5fbb7ed1 read-cmd-shim@1.0.4 (@claudiahdz)
23ce65616 npm-pick-manifest@3.0.2 (@claudiahdz)

6.11.2 (2019-08-22):

Fix a recent Windows regression, and two long-standing Windows bugs. Also, get CI running on Windows, so these things are less likely in the future.

DEPENDENCIES

9778a1b87 cmd-shim@3.0.3: Fix regression where shims fail to preserve exit code (@isaacs)
bf93e91d8 npm-package-arg@6.1.1: Properly handle git+file: urls on Windows when a drive letter is included. (@isaacs)

BUGFIXES

6cc4cc66f escape args properly on Windows Bash Despite being bash, Node.js running on windows git mingw bash still executes child processes using cmd.exe. As a result, arguments in this environment need to be escaped in the style of cmd.exe, not bash. (@isaacs)

TESTS

291aba7b8 make tests pass on Windows (@isaacs)
fea3a023a travis: run tests on Windows as well (@isaacs)

6.11.1 (2019-08-20):

Fix a regression for windows command shim syntax.

37db29647 cmd-shim@3.0.2 (@isaacs)

v6.11.0 (2019-08-20):

A few meaty bugfixes, and introducing peerDependenciesMeta.

FEATURES

a12341088 #224 Implements peerDependenciesMeta (@arcanis)
2f3b79bba #234 add new forbidden 403 error code (@claudiahdz)

BUGFIXES

24acc9fc8 and 45772af0d #217 npm.community#8863 npm.community#9327 do not descend into directory deps' child modules, fix shrinkwrap files that inappropriately list child nodes of symlink packages (@isaacs and @salomvary)
50cfe113d #229 fixed typo in semver doc (@gall0ws)
e8fb2a1bd #231 Fix spelling mistakes in CHANGELOG-3.md (@XhmikosR)
769d2e057 npm/uid-number#7 Better error on invalid --user/--group configs. This addresses the issue when people fail to install binary packages on Docker and other environments where there is no 'nobody' user. (@isaacs)
8b43c9624 nodejs/node#28987 npm.community#6032 npm.community#6658 npm.community#6069 npm.community#9323 Fix the regression where random config values in a .npmrc file are not passed to lifecycle scripts, breaking build processes which rely on them. (@isaacs)
8b85eaa47 save files with inferred ownership rather than relying on SUDO_UID and SUDO_GID. (@isaacs)
b7f6e5f02 Infer ownership of shrinkwrap files (@isaacs)
54b095d77 #235 Add spec to dist-tag remove function (@theberbie)

DEPENDENCIES

dc8f9e52f pacote@9.5.7: Infer the ownership of all unpacked files in node_modules, so that we never have user-owned files in root-owned folders, or root-owned files in user-owned folders. (@isaacs)
bb33940c3 cmd-shim@3.0.0:
- 9c93ac3 #2 npm#3380 Handle environment variables properly (@basbossink)
- 2d277f8 #25 #36 #35 Fix 'no shebang' case by always providing $basedir in shell script (@igorklopov)
- adaf20b #26 Fix $* causing an error when arguments contain parentheses (@satazor)
- 49f0c13 #30 Fix paths for MSYS/MINGW bash (@dscho)
- 51a8af3 #34 Add proper support for PowerShell (@ExE-Boss)
- 4c37e04 #10 Work around quoted batch file names (@isaacs)
a4e279544 npm-lifecycle@3.1.3 (@isaacs):
- fail properly if uid-number raises an error
7086a1809 libcipm@4.0.3 (@isaacs)
8845141f9 read-package-json@2.1.0 (@isaacs)
51c028215 bin-links@1.1.3 (@isaacs)
534a5548c read-cmd-shim@1.0.3 (@isaacs)
3038f2fd5 gentle-fs@2.2.1 (@isaacs)
a609a1648 graceful-fs@4.2.2 (@isaacs)
f0346f754 cacache@12.0.3 (@isaacs)
ca9c615c8 npm-pick-manifest@3.0.0 (@isaacs)
b417affbf pacote@9.5.8 (@isaacs)

TESTS

b6df0913c #228 Proper handing of /usr/bin/node lifecycle-path test (@olivr70)
aaf98e88c npm-registry-mock@1.3.0 (@isaacs)

BUGFIXES

27cccfbda #223 vulns → vulnerabilities in npm audit output (@sapegin)
d5e865eb7 #222 #226 install, doctor: don't crash if registry unset (@dmitrydvorkin, @isaacs)
5b3890226 #227 npm.community#9167 Handle unhandledRejections, tell user what to do when encountering an EACCES error in the cache. (@isaacs)

DEPENDENCIES

77516df6e licensee@7.0.3 (@isaacs)
ceb993590 query-string@6.8.2 (@isaacs)
4050b9189 hosted-git-info@2.8.2
- #46 #43 #47 #44 Add support for GitLab subgroups (@mterrel, @isaacs, @ybiquitous)
- 3b1d629 #48 fix http protocol using sshurl by default (@fengmk2)
- 5d4a8d7 ignore noCommittish on tarball url generation (@isaacs)
- 1692435 use gist tarball url that works for anonymous gists (@isaacs)
- d5cf830 Do not allow invalid gist urls (@isaacs)
- e518222 Use LRU cache to prevent unbounded memory consumption (@iarna)

v6.10.2 (2019-07-23):

tl;dr - Fixes several issues with the cache when npm is run as sudo on Unix systems.

TESTING

2a78b96f8 check test cache for root-owned files (@isaacs)
108646ebc run sudo tests on Travis-CI (@isaacs)
cf984e946 set --no-esm tap flag (@isaacs)
8e0a3100d add script to run tests and leave fixtures for inspection and debugging (@isaacs)

BUGFIXES

25f4f73f6 add a util for writing arbitrary files to cache This prevents metrics timing and debug logs from becoming root-owned. (@isaacs)
2c61ce65d infer cache owner from parent dir in correct-mkdir util (@isaacs)
235e5d6df ensure correct owner on cached all-packages metadata (@isaacs)
e2d377bb6 npm.community#8540 audit: report server error on failure (@isaacs)
52576a39e #216 npm.community#5385 npm.community#6076 Fix npm ci with file: dependencies. Partially reverts #40/#86, recording dependencies of linked deps in order for npm ci to work. (@jfirebaugh)

DEPENDENCIES

0fefdee13 cacache@12.0.2 (@isaacs)
- infer uid/gid instead of accepting as options, preventing the overwhelming majority of cases where root-owned files end up in the cache folder. (ac84d14) (@isaacs) (#1)
- i18n: add another error message (676cb32) (@zkat)
e1d87a392 pacote@9.5.4 (@isaacs)
- git: ensure stream failures are reported (7f07b5d) #1 (@lddubeau)
3f035bf09 infer-owner@1.0.4 (@isaacs)
ba3283112 npm-registry-fetch@4.0.0 (@isaacs)
ee90c334d libnpm@3.0.1 (@isaacs)
1e480c384 libnpmaccess@3.0.2 (@isaacs)
7662ee850 libnpmhook@5.0.3 (@isaacs)
1357fadc6 libnpmorg@1.0.1 (@isaacs)
a621b5cb6 libnpmsearch@2.0.2 (@isaacs)
560cd31dd libnpmteam@1.0.2 (@isaacs)
de7ae0867 npm-profile@4.0.2 (@isaacs)
e95da463c libnpm@3.0.1 (@isaacs)
554b641d4 npm-registry-fetch@4.0.0 (@isaacs)
06772f34a node-gyp@5.0.3 (@isaacs)
85358db80 npm-lifecycle@3.1.2 (@isaacs)
- 051cf20 #26 fix switches for alternative shells on Windows (@gucong3000)
- 3aaf954 #25 set only one PATH env variable for child process on Windows (@zkochan)
- ea18ed2 #36 #11 #18 remove procInterrupt listener on SIGINT in procError (@mattshin)
- 5523951 #29 #30 Use platform specific path casing if present (@mattezell)

BUGFIXES

3cbd57712 fix(git): strip GIT environs when running git (@isaacs)
a81a8c4c4 #206 improve isOnly(Dev,Optional) (@larsgw)
172f9aca6 #179 fix-xmas-underline (@raywu0123)
f52673fc7 #212 build: use /usr/bin/env to load bash (@rsmarples)

DEPENDENCIES

ef4445ad3 #208 node-gyp@5.0.2 (@irega)
c0d611356 npm-lifecycle@3.0.0 (@isaacs)
7716ba972 libcipm@4.0.0 (@isaacs)
42d22e837 libnpm@3.0.0 (@isaacs)
a2ea7f9ff semver@5.7.0 (@isaacs)
429226a5e lru-cache@5.1.1 (@isaacs)
175670ea6 npm-registry-fetch@3.9.1: (@isaacs)
0d0517f7f call-limit@1.1.1 (@isaacs)
741400429 glob@7.1.4 (@isaacs)
bddd60e30 inherits@2.0.4 (@isaacs)
4acf03fd1 libnpmsearch@2.0.1 (@isaacs)
c2bd17291 marked@0.6.3 (@isaacs)
7f0221bb1 marked-man@0.6.0 (@isaacs)
f458fe7dd npm-lifecycle@2.1.1 (@isaacs)
009752978 node-gyp@4.0.0 (@isaacs)
0fa2bb438 query-string@6.8.1 (@isaacs)
b86450929 tar-stream@2.1.0 (@isaacs)
25db00fe9 worker-farm@1.7.0 (@isaacs)
8dfbe8610 readable-stream@3.4.0 (@isaacs)
f6164d5dd isaacs/chownr#21 isaacs/chownr#20 npm.community#7901 npm.community#8203 chownr@1.1.2 This fixes an EISDIR error from cacache on Darwin in Node versions prior to 10.6. (@isaacs)

FEATURES

87fef4e35 #176 fix: Always return JSON for outdated --json (@sreeramjayan)
f101d44fc #203 fix(unpublish): add space after hyphen (@ffflorian)
a4475de4c #202 enable production flag for npm audit (@CalebCourier)
d192904d0 #178 fix: Return a value for view when in silent mode (@stayradiated)
39d473adf #185 Allow git to follow global tagsign config (@junderw)

BUGFIXES

d9238af0b #201 npm/npm#17858 npm/npm#18042 npm.community#644 do not crash when removing nameless packages (@SteveVanOpstal and @isaacs)
4bec4f111 #200 Check for node (as well as node.exe) in npm's local dir on Windows (@rgoulais)
ce93dab2d #180 npm.community#6187 Fix handling of remote deps in npm outdated (@larsgw)

TESTING

a823f3084 travis: Update to include new v12 LTS (@isaacs)
33e2d1dac fix flaky debug-logs test (@isaacs)
e9411c6cd Don't time out waiting for gpg user input (@isaacs)
d2d301704 #195 Add the arm64 check for legacy-platform-all.js test case. (@ossdev07)
a4dc34243 parallel tests (@isaacs)

DOCUMENTATION

f5857e263 #192 Clarify usage of bundledDependencies (@john-osullivan)
747fdaf66 #159 doc: add --audit-level param (@ngraef)

DEPENDENCIES

e36b3c320 graceful-fs@4.2.0 (@isaacs)
6bb935c09 read-package-tree@5.3.1 (@isaacs)
- e9cd536 Use custom caching realpath implementation, dramatically reducing lstat calls when reading the package tree (@isaacs)
39538b460 write-file-atomic@2.4.3 (@isaacs)
- f8b1552 #38 Ignore errors raised by fs.closeSync (@lukeapage)
042193069 pacote@9.5.1 (@isaacs)
- 8bbd051 #172 limit git retry times, avoid unlimited retries (小秦)
- 92f5e4c #170 fix(errors): Fix "TypeError: err.code.match is not a function" error (@jviotti)
8bd8e909f cacache@11.3.3 (@isaacs)
- 47de8f5 #146 npm.community#2395 fix(config): Add ssri config 'error' option (@larsgw)
- 5156561 fix(write): avoid a cb never called situation (@zkat)
- 90f40f0 #166 #165 docs: Fix docs for path property in get.info (@hdgarrood)
bf61c45c6 bluebird@3.5.5 (@isaacs)
f75d46a9d tar@4.4.10 (@isaacs)
- c80341a #215 Fix encoding/decoding of base-256 numbers (@justfalter)
- 77522f0 #204 #214 Use stat instead of lstat when checking CWD (@stkb)
ec6236210 npm-packlist@1.4.4 (@isaacs)
- 63d1e3e #30 Sort package tarball entries by file type for compression benefits (@isaacs)
- 7fcd045 Ignore .DS_Store files as well as folders (@isaacs)
- 68b7c96 Never include .git folders in package root. (Note: this prevents the issue that broke the v6.9.1 release.) (@isaacs)
57bef61bc update fstream in node-gyp (@isaacs)
- Addresses security advisory #886
acbbf7eee #183 licensee@7.0.2 (@kemitchell)
011ae67f0 readable-stream@3.3.0 (@isaacs)
f5e884909 npm-registry-mock@1.2.1 (@isaacs)
b57d07e35 npm-registry-couchapp@2.7.2 (@isaacs)

v6.9.2 (2019-06-27):

This release is identical to v6.9.1, but we had to publish a new version due to a .git directory in the release.

BUGFIXES

6b1a9da0e #165 Update knownBroken version. (@ljharb)
d07547154 npm.community#5929 Fix outdated rendering for global dependencies. (@zkat)
e4a1f1745 npm.community#6259 Fix OTP for token create and remove. (@zkat)

DEPENDENCIES

a163a9c35 sha@3.0.0 (@aeschright)
47b08b3b9 query-string@6.4.0 (@aeschright)
d6a956cff readable-stream@3.2.0 (@aeschright)
10b8bed2b tacks@1.3.0 (@aeschright)
e7483704d tap@12.6.0 (@aeschright)
3242fe698 tar-stream@2.0.1 (@aeschright)

FEATURES

2ba3a0f67 #90 Time traveling installs using the --before flag. (@zkat)
b7b54f2d1 #3 Add support for package aliases. This allows packages to be installed under a different directory than the package name listed in package.json, and adds a new dependency type to allow this to be done for registry dependencies. (@zkat)
684bccf06 #146 Always save package-lock.json when using --package-lock-only. (@aeschright)
b8b8afd40 #139 Make empty-string run-scripts run successfully as a no-op. (@vlasy)
8047b19b1 npm.community#3784 Match git semver ranges when flattening the tree. (@larsgw)
e135c2bb3 npm.community#1725 Re-enable updating local packages. (@larsgw)

BUGFIXES

cf09fbaed #153 Set modified to undefined in npm view when time is not available. This fixes a bug where npm view would crash on certain third-party registries. (@simonua)
774fc26ee #154 Print out tar version in install.sh only when the flag is supported not all the tar implementations support --version flag. This allows the install script to work in OpenBSD, for example. (@agudulin)
863baff11 #158 Fix typo in error message for npm stars. (@phihag)
a805a95ad npm.community#4227 Strip version info from pkg on E404. This improves the error messaging format. (@larsgw)

DOCS

5d7633833 #160 Add npm add as alias to npm install in docs. (@ahasall)
489c2211c #162 Fix link to RFC #10 in the changelog. (@mansona)
433020ead #135 Describe exit codes in npm-audit docs. (@emilis-tm)

DEPENDENCIES

ee6b6746b zkat/make-fetch-happen#29 agent-base@4.2.1 (@TooTallNate)
2ce23baf5 lock-verify@2.1.0: Adds support for package aliases (@zkat)
baaedbc6e pacote@9.5.0: Adds opts.before support (@zkat)
57e771a03 #164 licensee@6.1.0 (@kemitchell)
2b78288d4 add core to default inclusion tests in pack ([@Kat Marchán](https://github.com/Kat Marchán))
9b8b6513f npm.community#5382 npm-packlist@1.4.1: Fixes bug where core/ directories were being suddenly excluded. (@zkat)

v6.8.0 (2019-02-07):

This release includes an implementation of RFC #10, documenting an optional field that can be used to specify the directory path for a package within a monorepo.

NEW FEATURES

3663cdef2 #140 Update package.json docs to include repository.directory details. (@greysteil)

BUGFIXES

550bf703a Add @types to ignore list to fix git clean -fd. (@zkat)
cdb059293 #144 Fix common.npm callback arguments. (@larsgw)
25573e9b9 npm.community#4770 Show installed but unmet peer deps. (@larsgw)
ce2c4bd1a #149 Use figgy-config to make sure extra opts are there. (@zkat)
3c22d1a35 npm.community#5101 Fix ls-collaborators access error for non-scoped case. (@zkat)
d5137091d npm.community#754 Fix issue with sub-folder local references. (@iarna) (@jhecking)

DEPENDENCY BUMPS

d72141080 npm-registry-couchapp@2.7.1 (@zkat)
671cad1b1 npm-registry-fetch@3.9.0: Make sure publishing with legacy username:password _auth works again. (@zkat)
95ca1aef4 pacote@9.4.1 (@aeschright)
322fef403 normalize-package-data@2.5.0 (@aeschright)
32d34c0da npm-packlist@1.3.0 (@aeschright)
338571cf0 read-package-tree@5.2.2 (@zkat)

MISC

89b23a5f7 #120 Use const in lib/fetch-package-metadata.md. (@watilde)
4970d553c #126 Replace ronn with marked-man in .npmignore. (@watilde)
d9b6090dc #138 Reduce work to test if executable ends with a 'g'. (@elidoran) (@larsgw)

Hey y'all! This is a quick hotfix release that includes some important fixes to npm@6.6.0 related to the large rewrite/refactor. We're tagging it as a feature release because the changes involve some minor new features, and semver is semver, but there's nothing major here.

NEW FEATURES

50463f58b Improve usage errors to npm org commands and add optional filtering to npm org ls subcommand. (@zkat)

BUGFIXES

4027070b0 Fix default usage printout for npm org so you actually see how it's supposed to be used. (@zkat)
cfea6ea5b fix default usage message for npm hook (@zkat)

DOCS

e959e1421 Add manpage for npm org command. (@zkat)

DEPENDENCY BUMPS

8543fc357 pacote@9.4.0: Fall back to "fullfat" packuments on ETARGET errors. This will make it so that, when a package is published but the corgi follower hasn't caught up, users can still install a freshly-published package. (@zkat)
75475043b npm.community#4752 libnpmpublish@1.1.1: Fixes auth error for username/password legacy authentication. (@sreeramjayan)
0af8c00ac npm.community#4746 libcipm@3.0.3: Fixes issue with "cannot run in wd" errors for run-scripts. (@zkat)
5a7962e46 write-file-atomic@2.4.2: Fixes issues with leaking signal-exit instances and file descriptors. (@iarna)

v6.6.0 (2019-01-17):

REFACTORING OUT npm-REGISTRY-CLIENT

Today is an auspicious day! This release marks the end of a massive internal refactor to npm that means we finally got rid of the legacy npm-registry-client in favor of the shiny, new, window.fetch-like npm-registry-fetch.

Now, the installer had already done most of this work with the release of npm@5, but it turns out every other command still used the legacy client. This release updates all of those commands to use the new client, and while we're at it, adds a few extra goodies:

All OTP-requiring commands will now prompt. --otp is no longer required for dist-tag, access, et al.
We're starting to integrate a new config system which will eventually get extracted into a standalone package.
We now use libnpm for the API functionality of a lot of our commands! That means you can install a library if you want to write your own tooling around them.
There's now an npm org command for managing users in your org.
pacote now consumes npm-style configurations, instead of its own naming for various config vars. This will make it easier to load npm configs using libnpm.config and hand them directly to pacote.

There's too many commits to list all of them here, so check out the PR if you're curious about details:

c5af34c05 npm-registry-client@REMOVED (@zkat)
4cca9cb90 ad67461dc 77625f9e2 6e922aefb 584613ea8 64de4ebf0 6cd87d1a9 2786834c0 514558e09 dec07ebe3 084741913 45aff0e02 846ddcc44 8971ba1b9 99156e081 ab2155306 b37a66542 d2af0777a e0b4c6880 ff72350b4 6ed943303 90a069e7d b24ed5fdc ec9fcc14f 8a56fa39e 41d19e18f 125ff9551 1c3b226ff 3c0a7b06b 08fcb3f0f c8135d97a ae936f22c #2 Move rest of commands to npm-registry-fetch and use figgy-pudding for configs. (@zkat)

NEW FEATURES

02c837e01 #106 Make npm dist-tags the same as npm dist-tag ls. (@isaacs)
1065a7809 #65 Add support for IBM i. (@dmabupt)
a22e6f5fc #131 Update profile to support new npm-profile API. (@zkat)

BUGFIXES

890a74458 npm.community#3278 Fix support for passing git binary path config with --git. (@larsgw)
90e55a143 npm.community#2713 Check for npm.config's existence in error-handler.js to prevent weird errors when failures happen before config object is loaded. (@BeniCheni)
134207174 npm.community#2569 Fix checking for optional dependencies. (@larsgw)
7a2f6b05d npm.community#4172 Remove tink experiments. (@larsgw)
c5b6056b6 #123 Handle git branch references correctly. (@johanneswuerbach)
f58b43ef2 npm.community#3983 Report any errors above 400 as potentially not supporting audit. (@zkat)
a5c9e6f35 #124 Set default homepage to an empty string. (@anchnk)
5d076351d npm.community#4054 Fix npm-prefix description. (@larsgw)

DOCS

31a7274b7 #71 Fix typo in npm-token documentation. (@GeorgeTaveras1231)
2401b7592 Correct docs for fake-registry interface. (@iarna)

DEPENDENCIES

9cefcdc1d npm-registry-fetch@3.8.0 (@zkat)
1c769c9b3 pacote@9.1.0 (@zkat)
f3bc5539b figgy-pudding@3.5.1 (@zkat)
bf7199d3c npm-profile@4.0.1 (@zkat)
118c50496 semver@5.5.1 (@isaacs)
eab4df925 libcipm@3.0.2 (@zkat)
b86e51573 libnpm@1.4.0 (@zkat)
56fffbff2 get-stream@4.1.0 (@zkat)
df972e948 npm-profile@REMOVED (@zkat)
32c73bf0e libnpm@2.0.1 (@zkat)
569491b80 licensee@5.0.0 (@zkat)
a3ba0ccf1 move rimraf to prod deps (@zkat)
f63a0d6cf spdx-license-ids@3.0.3: Ref: https://github.com/npm/cli/pull/121 (@zkat)
f350e714f aproba@2.0.0 (@aeschright)
a67e4d8b2 byte-size@5.0.1 (@aeschright)
8bea4efa3 cacache@11.3.2 (@aeschright)
9d4776836 chownr@1.1.1 (@aeschright)
70da139e9 ci-info@2.0.0 (@aeschright)
bcdeddcc3 cli-table3@0.5.1 (@aeschright)
63aab82c7 is-cidr@3.0.0 (@aeschright)
d522bd90c JSONStream@1.3.5 (@aeschright)
2a59bfc79 libnpmhook@5.0.2 (@aeschright)
66d60e394 marked@0.6.0 (@aeschright)
8213def9a npm-packlist@1.2.0 (@aeschright)
e4ffc6a2b unique-filename@1.1.1 (@aeschright)
09a5c2fab semver@5.6.0 (@aeschright)
740e79e17 rimraf@2.6.3 (@aeschright)
455476c8d require-inject@1.4.4 (@aeschright)
3f40251c5 npm-pick-manifest@2.2.3 (@aeschright)
4ffa8a8e9 query-string@6.2.0 (@aeschright)
a0a0ca9ec pacote@9.3.0 (@aeschright)
5777ea8ad readable-stream@3.1.1 (@aeschright)
887e94386 lru-cache@4.1.5 (@aeschright)
41f15524c Updating semver docs. (@aeschright)
fb3bbb72d npm-audit-report@1.3.2: (@melkikh)

TESTING

f1edffba9 Modernize maketest script. (@iarna)
ae263473d maketest: Use promise based example common.npm call. (@iarna)
d9970da5e maketest: Use newEnv for env production. (@iarna)

MISCELLANEOUS

c665f35aa #119 Replace var with const/let in lib/repo.js. (@watilde)
46639ba9f Update package-lock.json for https tarball URLs (@aeschright)

v6.5.0 (2018-11-28):

NEW FEATURES

fc1a8d185 Backronym npm ci to npm clean-install. (@zkat)
4be51a9cc #81 Adds 'Homepage' to outdated --long output. (@jbottigliero)

BUGFIXES

89652cb9b npm.community#1661 Fix sign-git-commit options. They were previously totally wrong. (@zkat)
414f2d1a1 npm.community#1742 Set lowercase headers for npm audit requests. (@maartenba)
a34246baf #75 Fix npm edit handling of scoped packages. (@larsgw)
d3e8a7c72 npm.community#2303 Make summary output for npm ci go to stdout, not stderr. (@alopezsanchez)
71d8fb4a9 npm.community#1377 Close the file descriptor during publish if exiting upload via an error. This will prevent strange error messages when the upload fails and make sure cleanup happens correctly. (@macdja38)

DOCS UPDATES

b1a8729c8 #60 Mention --otp flag when prompting for OTP. (@bakkot)
bcae4ea81 #64 Clarify that git dependencies use the default branch, not just master. (@zckrs)
15da82690 #72 bash_completion.d dir is sometimes found in /etc not /usr/local. (@RobertKielty)
8a6ecc793 #74 Update OTP documentation for dist-tag add to clarify --otp is needed right now. (@scotttrinh)
dcc03ec85 #82 Note that prepare runs when installing git dependencies. (@seishun)
a91a470b7 #83 Specify that --dry-run isn't available in older versions of npm publish. (@kjin)
1b2fabcce #96 Fix inline code tag issue in docs. (@midare)
6cc70cc19 #68 Add semver link and a note on empty string format to deprecate doc. (@neverett)
61dbbb7c3 Fix semver docs after version update. (@zkat)
4acd45a3d #78 Correct spelling across various docs. (@hugovk)

DEPENDENCIES

4f761283e figgy-pudding@3.5.1 (@zkat)
3706db0bc npm.community#1764 ssri@6.0.1 (@zkat)
83c2b117d bluebird@3.5.2 (@petkaantonov)
2702f46bd ci-info@1.5.1 (@watson)
4db6c3898 config-chain@1.1.1:2 (@dawsbot)
70bee4f69 glob@7.1.3 (@isaacs)
e469fd6be opener@1.5.1: Fix browser opening under Windows Subsystem for Linux (WSL). (@thijsputman)
03840dced semver@5.5.1 (@iarna)
161dc0b41 bluebird@3.5.3 (@petkaantonov)
bb6f94395 graceful-fs@4.1.1:5 (@isaacs)
43b1f4c91 tar@4.4.8 (@isaacs)
ab62afcc4 npm-packlist@1.1.1:2 (@isaacs)
027f06be3 ci-info@1.6.0 (@watson)

MISCELLANEOUS

27217dae8 #70 Automatically audit dependency licenses for npm itself. (@kemitchell)

v6.4.1 (2018-08-22):

BUGFIXES

4bd40f543 #42 Prevent blowing up on malformed responses from the npm audit endpoint, such as with third-party registries. (@framp)
0e576f0aa #46 Fix NO_PROXY support by renaming npm-side config to --noproxy. The environment variable should still work. (@SneakyFish5)
d8e811d6a #33 Disable update-notifier checks when a CI environment is detected. (@Sibiraj-S)
1bc5b8cea #47 Fix issue where postpack scripts would break if pack was used with --dry-run. (@larsgw)

DEPENDENCY BUMPS

4c57316d5 figgy-pudding@3.4.1 (@zkat)
85f4d7905 cacache@11.2.0 (@zkat)
d20ac242a npm-packlist@1.1.11: No real changes in npm-packlist, but npm-bundled included a circular dependency fix, as well as adding a proper LICENSE file. (@isaacs)
e8d5f4418 npm.community#632 libcipm@2.0.2: Fixes issue where npm ci wasn't running the prepare lifecycle script when installing git dependencies (@edahlseng)
a5e6f78e9 JSONStream@1.3.4: Fixes memory leak problem when streaming large files (like legacy npm search). (@daern91)
3b940331d npm.community#1042 npm-lifecycle@2.1.0: Fixes issue for Windows user where multiple Path/PATH variables were being added to the environment and breaking things in all sorts of fun and interesting ways. (@JimiC)
d612d2ce8 npm-registry-client@8.6.0 (@iarna)
1f6ba1cb1 opener@1.5.0 (@domenic)
37b8f405f request@2.88.0 (@mikeal)
bb91a2a14 tacks@1.2.7 (@iarna)
30bc9900a ci-info@1.4.0: Adds support for two more CI services (@watson)
1d2fa4ddd marked@0.5.0 (@joshbruce)

DOCUMENTATION

08ecde292 #54 Mention registry terms of use in manpage and registry docs and update language in README for it. (@kemitchell)
de956405d #41 Add documentation for --dry-run in install and pack docs. (@reconbot)
95031b90c #48 Update republish time and lightly reorganize republish info. (@neverett)
767699b68 #53 Correct npm@6.4.0 release date in changelog. (@charmander)
3fea3166e #55 Align command descriptions in help text. (@erik)

v6.4.0 (2018-08-09):

NEW FEATURES

6e9f04b0b npm/cli#8 Search for authentication token defined by environment variables by preventing the translation layer from env variable to npm option from breaking :_authToken. (@mkhl)
84bfd23e7 npm/cli#35 Stop filtering out non-IPv4 addresses from local-addrs, making npm actually use IPv6 addresses when it must. (@valentin2105)
792c8c709 npm/cli#31 configurable audit level for non-zero exit npm audit currently exits with exit code 1 if any vulnerabilities are found of any level. Add a flag of --audit-level to npm audit to allow it to pass if only vulnerabilities below a certain level are found. Example: npm audit --audit-level=high will exit with 0 if only low or moderate level vulns are detected. (@lennym)

BUGFIXES

d81146181 npm/cli#32 Don't check for updates to npm when we are updating npm itself. (@olore)

DEPENDENCY UPDATES

A very special dependency update event! Since the release of node-gyp@3.8.0, an awkward version conflict that was preventing request from begin flattened was resolved. This means two things:

We've cut down the npm tarball size by another 200kb, to 4.6MB
npm audit now shows no vulnerabilities for npm itself!

Thanks, @rvagg!

866d776c2 request@2.87.0 (@simov)
f861c2b57 node-gyp@3.8.0 (@rvagg)
32e6947c6 npm/cli#39 colors@1.1.2: REVERT REVERT, newer versions of this library are broken and print ansi codes even when disabled. (@iarna)
beb96b92c libcipm@2.0.1 (@zkat)
348fc91ad validate-npm-package-license@3.0.4: Fixes errors with empty or string-only license fields. (@Gudahtt)
e57d34575 iferr@1.0.2 (@shesek)
46f1c6ad4 tar@4.4.6 (@isaacs)
50df1bf69 hosted-git-info@2.7.1 (@iarna) (@Erveon) (@huochunpeng)

DOCUMENTATION

af98e76ed npm/cli#34 Remove npm publish from list of commands not affected by --dry-run. (@joebowbeer)
e2b0f0921 npm/cli#36 Tweak formatting in repository field examples. (@noahbenham)
e2346e770 npm/cli#14 Used process.env examples to make accessing certain npm run-scripts environment variables more clear. (@mwarger)

v6.3.0 (2018-08-01):

This is basically the same as the prerelease, but two dependencies have been bumped due to bugs that had been around for a while.

0a22be42e figgy-pudding@3.2.0 (@zkat)
0096f6997 cacache@11.1.0 (@zkat)

v6.3.0-next.0 (2018-07-25):

NEW FEATURES

ad0dd226f npm/cli#26 npm version now supports a --preid option to specify the preid for prereleases. For example, npm version premajor --preid rc will tag a version like 2.0.0-rc.0. (@dwilches)

MESSAGING IMPROVEMENTS

c1dad1e99 npm/cli#6 Make npm audit fix message provide better instructions for vulnerabilities that require manual review. (@bradsk88)
15c1130fe Fix missing colon next to tarball url in new npm view output. (@zkat)
21cf0ab68 npm/cli#24 Use the default OTP explanation everywhere except when the context is "OTP-aware" (like when setting double-authentication). This improves the overall CLI messaging when prompting for an OTP code. (@jdeniau)

MISC

a9ac8712d npm/cli#21 Use the extracted stringify-package package. (@dpogue)
9db15408c npm/cli#27 wrappy was previously added to dependencies in order to flatten it, but we no longer do legacy-style for npm itself, so it has been removed from package.json. (@rickschubert)

DOCUMENTATION

3242baf08 npm/cli#13 Update more dead links in README.md. (@u32i64)
06580877b npm/cli#19 Update links in docs' index.html to refer to new bug/PR URLs. (@watilde)
ca03013c2 npm/cli#15 Fix some typos in file-specifiers docs. (@Mstrodl)
4f39f79bc npm/cli#16 Fix some typos in file-specifiers and package-lock docs. (@watilde)
35e51f79d npm/cli#18 Update build status badge url in README. (@watilde)
a67db5607 npm/cli#17 Replace TROUBLESHOOTING.md with posts in npm.community. (@watilde)
e115f9de6 npm/cli#7 Use https URLs in documentation when appropriate. Happy Not Secure Day! (@XhmikosR)

v6.2.0 (2018-07-13):

In case you missed it, we moved!. We look forward to seeing future PRs landing in npm/cli in the future, and we'll be chatting with you all in npm.community. Go check it out!

This final release of npm@6.2.0 includes a couple of features that weren't quite ready on time but that we'd still like to include. Enjoy!

FEATURES

244b18380 #20554 Add support for tab-separated output for npm audit data with the --parseable flag. (@luislobo)
7984206e2 #12697 Add new sign-git-commit config to control whether the git commit itself gets signed, or just the tag (which is the default). (@tribou)

FIXES

4c32413a5 #19418 Do not use SET to fetch the env in git-bash or Cygwin. (@gucong3000)

DEPENDENCY BUMPS

d9b2712a6 request@2.81.0: Downgraded to allow better deduplication. This does introduce a bunch of hoek-related audit reports, but they don't affect npm itself so we consider it safe. We'll upgrade request again once node-gyp unpins it. (@simov)
2ac48f863 node-gyp@3.7.0 (@MylesBorins)
8dc6d7640 cli-table3@0.5.0: cli-table2 is unmaintained and required lodash. With this dependency bump, we've removed lodash from our tree, which cut back tarball size by another 300kb. (@Turbo87)
90c759fee npm-audit-report@1.3.1 (@zkat)
4231a0a1e Add cli-table3 to bundleDeps. (@iarna)
322d9c2f1 Make standard happy. (@iarna)

DOCS

5724983ea #21165 Fix some markdown formatting in npm-disputes.md. (@hchiam)
738178315 #20920 Explicitly state that republishing an unpublished package requires a 72h waiting period. (@gmattie)
f0a372b07 Replace references to the old repo or issue tracker. We're at npm/cli now! (@zkat)

v6.2.0-next.1 (2018-07-05):

This is a quick patch to the release to fix an issue that was preventing users from installing npm@next.

ecdcbd745 #21129 Remove postinstall script that depended on source files, thus preventing npm@next from being installable from the registry. (@zkat)

v6.2.0-next.0 (2018-06-28):

NEW FEATURES

ce0793358 #20750 You can now disable the update notifier entirely by using --no-update-notifier or setting it in your config with npm config set update-notifier false. (@travi)
d2ad776f6 #20879 When npm run-script <script> fails due to a typo or missing script, npm will now do a "did you mean?..." for scripts that do exist. (@watilde)

BUGFIXES

8f033d72d #20948 Fix the regular expression matching in xcode_emulation in node-gyp to also handle version numbers with multiple-digit major versions which would otherwise break under use of XCode 10. (@Trott)
c8ba7573a Stop trying to hoist/dedupe bundles dependencies. (@iarna)
cd698f068 #20762 Add synopsis to brief help for npm audit and suppress trailing newline. (@wyardley)
6808ee3bd #20881 Exclude /.github directory from npm tarball. (@styfle)
177cbb476 #21105 Add suggestion to use a temporary cache instead of npm cache clear --force. (@karanjthakkar)

DOCS

7ba3fca00 #20855 Direct people to npm.community instead of the GitHub issue tracker on error. (@zkat)
88efbf6b0 #20859 Fix typo in registry docs. (@strugee)
61bf827ae #20947 Fixed a small grammar error in the README. (@bitsol)
f5230c90a #21018 Small typo fix in CONTRIBUTING.md. (@reggi)
833efe4b2 #20986 Document current structure/expectations around package tarballs. (@Maximaximum)
9fc0dc4f5 #21019 Clarify behavior of npm link ../path shorthand. (@davidgilbertson)
3924c72d0 #21064 Add missing "if" (@roblourens)

DEPENDENCY SHUFFLE!

We did some reshuffling and moving around of npm's own dependencies. This significantly reduces the total bundle size of the npm pack, from 8MB to 4.8MB for the distributed tarball! We also moved around what we actually commit to the repo as far as devDeps go.

0483f5c5d Flatten and dedupe our dependencies! (@iarna)
ef9fa1ceb Remove unused direct dependency ansi-regex. (@iarna)
0d14b0bc5 Reshuffle ansi-regex for better deduping. (@iarna)
68a101859 Reshuffle strip-ansi for better deduping. (@iarna)
0d5251f97 Reshuffle is-fullwidth-code-point for better deduping. (@iarna)
2d0886632 Add fake-registry, npm-registry-mock replacement. (@iarna)

DEPENDENCIES

8cff8eea7 tar@4.4.3 (@zkat)
bfc4f873b pacote@8.1.6 (@zkat)
532096163 libcipm@2.0.0 (@zkat)
4a512771b request@2.87.0 (@iarna)
b7cc48dee which@1.3.1 (@iarna)
bae657c28 tar@4.4.4 (@iarna)
3d46e5c4e JSONStream@1.3.3 (@iarna)
d0a905daf is-cidr@2.0.6 (@iarna)
4fc1f815f marked@0.4.0 (@iarna)
f72202944 tap@12.0.1 (@iarna)
bdce96eb3 npm-profile@3.0.2 (@iarna)
fe4240e85 uuid@3.3.2 (@zkat)

v6.1.0 (2018-05-17):

FIX WRITE AFTER END ERROR

First introduced in 5.8.0, this finally puts to bed errors where you would occasionally see Error: write after end at MiniPass.write.

171f3182f node-tar#180 npm.community#35 pacote@8.1.5: Fix write-after-end errors. (@zkat)

DETECT CHANGES IN GIT SPECIFIERS

0e1726c03 We can now determine if the commitid of a git dependency in the lockfile is derived from the specifier in the package.json and if it isn't we now trigger an update for it. (@iarna)

OTHER BUGS

442d2484f 2f0c88351 631d30a34 When requesting the update of a direct dependency that was also a transitive dependency to a version incompatible with the transitive requirement and you had a lock-file but did not have a node_modules folder then npm would fail to provide a new copy of the transitive dependency, resulting in an invalid lock-file that could not self heal. (@iarna)
be5dd0f49 #20715 Cleanup output of npm ci summary report. (@legodude17)
98ffe4adb Node.js now has a test that scans for things that look like conflict markers in source code. This was triggering false positives on a fixture in a test of npm's ability to heal lockfiles with conflicts in them. (@iarna)

DEPENDENCY UPDATES

3f2e306b8 Using npm audit fix, replace some transitive dependencies with security issues with versions that don't have any. (@iarna)
1d07134e0 tar@4.4.1: Dropping to 4.4.1 from 4.4.2 due to https://github.com/npm/node-tar/issues/183 (@zkat)

v6.1.0-next.0 (2018-05-17):

Look at that! A feature bump! npm@6 was super-exciting not just because it used a bigger number than ever before, but also because it included a super shiny new command: npm audit. Well, we've kept working on it since then and have some really nice improvements for it. You can expect more of them, and the occasional fix, in the next few releases as more users start playing with it and we get more feedback about what y'all would like to see from something like this.

I, for one, have started running it (and the new subcommand...) in all my projects, and it's one of those things that I don't know how I ever functioned -without- it! This will make a world of difference to so many people as far as making the npm ecosystem a higher-quality, safer commons for all of us.

This is also a good time to remind y'all that we have a new RFCs repository, along with a new process for them. This repo is open to anyone's RFCs, and has already received some great ideas about where we can take the CLI (and, to a certain extent, the registry). It's a great place to get feedback, and completely replaces feature requests in the main repo, so we won't be accepting feature requests there at all anymore. Check it out if you have something you'd like to suggest, or if you want to keep track of what the future might look like!

NEW FEATURE: `npm audit fix`

This is the biggie with this release! npm audit fix does exactly what it says on the tin. It takes all the actionable reports from your npm audit and runs the installs automatically for you, so you don't have to try to do all that mechanical work yourself!

Note that by default, npm audit fix will stick to semver-compatible changes, so you should be able to safely run it on most projects and carry on with your day without having to track down what breaking changes were included. If you want your (toplevel) dependencies to accept semver-major bumps as well, you can use npm audit fix --force and it'll toss those in, as well. Since it's running the npm installer under the hood, it also supports --production and --only=dev flags, as well as things like --dry-run, --json, and --package-lock-only, if you want more control over what it does.

Give it a whirl and tell us what you think! See npm help audit for full docs!

3800a660d Add npm audit fix subcommand to automatically fix detected vulnerabilities. (@zkat)

OTHER NEW `audit` FEATURES

1854b1c7f #20568 Add support for npm audit --json to print the report in JSON format. (@finnp)
85b86169d #20570 Include number of audited packages in npm install summary output. (@zkat)
957cbe275 npm-audit-report@1.2.1: Overhaul audit install and detail output format. The new format is terser and fits more closely into the visual style of the CLI, while still providing you with the important bits of information you need. They also include a bit more detail on the footer about what actions you can take! (@zkat)

NEW FEATURE: GIT DEPS AND `npm init <pkg>`!

Another exciting change that came with npm@6 was the new npm init command that allows for community-authored generators. That means you can, for example, do npm init react-app and it'll one-off download, install, and run create-react-app for you, without requiring or keeping around any global installs. That is, it basically just calls out to npx.

The first version of this command only really supported registry dependencies, but now, @jdalton went ahead and extended this feature so you can use hosted git dependencies, and their shorthands.

So go ahead and do npm init facebook/create-react-app and it'll grab the package from the github repo now! Or you can use it with a private github repository to maintain your organizational scaffolding tools or whatnot. ✨

483e01180 #20403 Add support for hosted git packages to npm init <name>. (@jdalton)

BUGFIXES

a41c0393c #20538 Make the new npm view work when the license field is an object instead of a string. (@zkat)
eb7522073 #20582 Add support for environments (like Docker) where the expected binary for opening external URLs is not available. (@bcoe)
212266529 #20536 Fix a spurious colon in the new update notifier message and add support for the npm canary. (@zkat)
5ee1384d0 #20597 Infer a version range when a package.json has a dist-tag instead of a version range in one of its dependency specs. Previously, this would cause dependencies to be flagged as invalid. (@zkat)
4fa68ae41 #20585 Make sure scoped bundled deps are shown in the new publish preview, too. (@zkat)
1f3ee6b7e cacache@11.0.2: Stop dropping size from metadata on npm cache verify. (@jfmartinez)
91ef93691 #20513 Fix nested command aliases. (@mmermerkaya)
18b2b3cf7 npm-lifecycle@2.0.3: Make sure different versions of the Path env var on Windows all get node_modules/.bin prepended when running lifecycle scripts. (@laggingreflex)

DOCUMENTATION

a91d87072 #20550 Update required node versions in README. (@legodude17)
bf3cfa7b8 Pull in changelogs from the last npm@5 release. (@iarna)
b2f14b14c #20629 Make tone in publishConfig docs more neutral. (@jeremyckahn)

DEPENDENCY BUMPS

5fca4eae8 byte-size@4.0.3 (@75lb)
d9ef3fba7 lru-cache@4.1.3 (@isaacs)
f1baf011a request@2.86.0 (@simonv)
005fa5420 require-inject@1.4.3 (@iarna)
1becdf09a tap@11.1.5 (@isaacs)

v6.0.1 (2018-05-09):

AUDIT SHOULDN'T WAIT FOREVER

This will likely be reduced further with the goal that the audit process shouldn't noticibly slow down your builds regardless of your network situation.

3dcc240db Timeout audit requests eventually. (@iarna)

Looking forward

We're still a way from having node@11, so now's a good time to ensure we don't warn about being used with it.

ed1aebf55 Allow node@11, when it comes. (@iarna)

v6.0.1-next.0 (2018-05-03):

CTRL-C OUT DURING PACKAGE EXTRACTION AS MUCH AS YOU WANT!

b267bbbb9 npm/lockfile#29 lockfile@1.0.4: Switches to signal-exit to detect abnormal exits and remove locks. (@Redsandro)

SHRONKWRAPS AND LACKFILES

If a published modules had legacy npm-shrinkwrap.json we were saving ordinary registry dependencies (name@version) to your package-lock.json as https:// URLs instead of versions.

89102c0d9 When saving the lock-file compute how the dependency is being required instead of using _resolved in the package.json. This fixes the bug that was converting registry dependencies into https:// dependencies. (@iarna)
676f1239a When encountering a https:// URL in our lockfiles that point at our default registry, extract the version and use them as registry dependencies. This lets us heal package-lock.json files produced by 6.0.0 (@iarna)

AUDIT AUDIT EVERYWHERE

You can't use it quite yet, but we do have a few last moment patches to npm audit to make it even better when it is turned on!

b2e4f48f5 Make sure we hide stream errors on background audit submissions. Previously some classes of error could end up being displayed (harmlessly) during installs. (@iarna)
1fe0c7fea Include session and scope in requests (as we do in other requests to the registry). (@iarna)
d04656461 Exit with non-zero status when vulnerabilities are found. So you can have npm audit as a test or prepublish step! (@iarna)
fcdbcbacc Verify lockfile integrity before running. You'd get an error either way, but this way it's faster and can give you more concrete instructions on how to fix it. (@iarna)
2ac8edd42 Refuse to run in global mode. Audits require a lockfile and globals don't have one. Yet. (@iarna)

DOCUMENTATION IMPROVEMENTS

b7fca1084 #20407 Update the lock-file spec doc to mention that we now generate the from field for git-type dependencies. (@watilde)
7a6555e61 #20408 Describe what the colors in outdated mean. (@teameh)

DEPENDENCY UPDATES

5e56b3209 npm-audit-report@1.0.8 (@evilpacket)
58a0b31b4 lock-verify@2.0.2 (@iarna)
e7a8c364f zkat/pacote#148 pacote@8.1.1 (@redonkulus)
46c0090a5 tar@4.4.2 (@isaacs)
8a16db3e3 update-notifier@2.5.0 (@alexccl)
696375903 safe-buffer@5.1.2 (@feross)
c949eb26a query-string@6.1.0 (@sindresorhus)

v6.0.0 (2018-04-20):

Hey y'all! Here's another npm@6 release -- with node@10 around the corner, this might well be the last prerelease before we tag 6.0.0! There's two major features included with this release, along with a few miscellaneous fixes and changes.

EXTENDED `npm init` SCAFFOLDING

Thanks to the wonderful efforts of @jdalton of lodash fame, npm init can now be used to invoke custom scaffolding tools!

You can now do things like npm init react-app or npm init esm to scaffold an npm package by running create-react-app and create-esm, respectively. This also adds an npm create alias, to correspond to Yarn's yarn create feature, which inspired this.

008a83642 ed81d1426 833046e45 #20303 Add an npm init feature that calls out to npx when invoked with positional arguments. (@jdalton)

DEPENDENCY AUDITING

This version of npm adds a new command, npm audit, which will run a security audit of your project's dependency tree and notify you about any actions you may need to take.

The registry-side services required for this command to work will be available on the main npm registry in the coming weeks. Until then, you won't get much out of trying to use this on the CLI.

As part of this change, the npm CLI now sends scrubbed and cryptographically anonymized metadata about your dependency tree to your configured registry, to allow notifying you about the existence of critical security flaws. For details about how the CLI protects your privacy when it shares this metadata, see npm help audit, or read the docs for npm audit online. You can disable this altogether by doing npm config set audit false, but will no longer benefit from the service.

f4bc648ea #20389 npm-registry-fetch@1.1.0 (@iarna)
594d16987 #20389 npm-audit-report@1.0.5 (@iarna)
8c77dde74 1d8ac2492 552ff6d64 09c734803 #20389 Add new npm audit command. (@iarna)
be393a290 #20389 Temporarily suppress git metadata till there's an opt-in. (@iarna)
8e713344f #20389 Document the new command. (@iarna)
#20389 Default audit to off when running the npm test suite itself. (@iarna)

MORE `package-lock.json` FORMAT CHANGES?!

820f74ae2 #20384 Add from field back into package-lock for git dependencies. This will give npm the information it needs to figure out whether git deps are valid, specially when running with legacy install metadata or in --package-lock-only mode when there's no node_modules. This should help remove a significant amount of git-related churn on the lock-file. (@zkat)

BUGFIXES

9d5d0a18a #20358 npm install-test (aka npm it) will no longer generate package-lock.json when running with --no-package-lock or package-lock=false. (@raymondfeng)
e4ed976e2 2facb35fb 9c1eb945b #20390 Fix a scenario where a git dependency had a comittish associated with it that was not a complete commitid. npm would never consider that entry in the package.json as matching the entry in the package-lock.json and this resulted in inappropriate pruning or reinstallation of git dependencies. This has been addressed in two ways, first, the addition of the from field as described in #20384 means we can exactly match the package.json. Second, when that's missing (when working with older package-lock.json files), we assume that the match is ok. (If it's not, we'll fix it up when a real installation is done.) (@iarna)

DEPENDENCIES

1c1f89b73 libnpx@10.2.0 (@zkat)
242d8a647 pacote@8.1.0 (@zkat)

DOCS

a1c77d614 #20331 Fix broken link to 'private-modules' page. The redirect went away when the new npm website went up, but the new URL is better anyway. (@vipranarayan14)
ad7a5962d #20279 Document the --if-present option for npm run-script. (@aleclarson)

v6.0.0-next.1 (2018-04-12):

NEW FEATURES

a9e722118 #20256 Add support for managing npm webhooks. This brings over functionality previously provided by the wombat CLI. (@zkat)
8a1a64203 #20126 Add npm cit command that's equivalent of npm ci && npm t that's equivalent of npm it. (@SimenB)
fe867aaf1 49d18b4d8 ff6b31f77 78eab3cda The requires field in your lock-file will be upgraded to use ranges from versions on your first use of npm. (@iarna)
cf4d7b4de #20257 Add shasum and integrity to the new npm view output. (@zkat)

BUG FIXES

685764308 Fix a bug where OTPs passed in via the commandline would have leading zeros deleted resulted in authentication failures. (@iarna)
8f3faa323 6800f76ff ec90c06c7 825b5d2c6 4785f13fb bd16485f5 Restore the ability to bundle dependencies that are uninstallable from the registry. This also eliminates needless registry lookups for bundled dependencies.

Fixed a bug where attempting to install a dependency that is bundled inside another module without reinstalling that module would result in ENOENT errors. (@iarna)
429498a8c #20029 Allow packages with non-registry specifiers to follow the fast path that the we use with the lock-file for registry specifiers. This will improve install time especially when operating only on the package-lock (--package-lock-only). (@zkat)

Fix the a bug where npm i --only=prod could remove development dependencies from lock-file. (@iarna)
834b46ff4 #20122 Improve the update-notifier messaging (borrowing ideas from pnpm) and eliminate false positives. (@zkat)
f9de7ef3a #20154 Let version succeed when package-lock.json is gitignored. (@nwoltman)
f8ec52073 #20212 Ensure that we only create an etc directory if we are actually going to write files to it. (@buddydvd)
ab489b753 #20140 Note in documentation that package-lock.json version gets touched by npm version. (@srl295)
857c2138d #20032 Fix bug where unauthenticated errors would get reported as both 404s and 401s, i.e. npm ERR! 404 Registry returned 401. In these cases the error message will now be much more informative. (@iarna)
d2d290bca #20082 Allow optional @ prefix on scope with npm team commands for parity with other commands. (@bcoe)
b5babf0a9 #19580 Improve messaging when two-factor authentication is required while publishing. (@jdeniau)
471ee1c5b 0da38b7b4 Fix a bug where optional status of a dependency was not being saved to the package-lock on the initial install. (@iarna)
b3f98d8ba 9dea95e31 Ensure that --no-optional does not remove optional dependencies from the lock-file. (@iarna)

MISCELLANEOUS

ec6b12099 Exclude all tests from the published version of npm itself. (@iarna)

DEPENDENCY UPDATES

73dc97455 zkat/cipm#46 libcipm@1.6.2: Detect binding.gyp for default install lifecycle. Let's npm ci work on projects that have their own C code. (@caleblloyd)
77c3f7a00 iferr@1.0.0
dce733e37 zkat/json-parse-better-errors#1 json-parse-better-errors@1.0.2 (@Hoishin)
c52765ff3 readable-stream@2.3.6 (@mcollina)
e160adf9f update-notifier@2.4.0 (@sindersorhus)
9a9d7809e marked@0.3.1 (@joshbruce)
f2fbd8577 #20256 figgy-pudding@2.0.1 (@zkat)
44972d53d #20256 libnpmhook@3.0.0 (@zkat)
cfe562c58 #20276 node-gyp@3.6.2
3c0bbcb8e zkat/npx#172 libnpx@10.1.1 (@jdalton)
0573d91e5 zkat/cacache#128 cacache@11.0.1 (@zkat)
396afa99f figgy-pudding@3.1.0 (@zkat)
e7f869c36 pacote@8.0.0 (@zkat)
77dac72df ssri@6.0.0 (@zkat)
0b802f2a0 retry@0.12.0 (@iarna)
4781b64bc libnpmhook@4.0.1 (@zkat)
7bdbaeea6 npm-package-arg@6.1.0 (@zkat)
5f2bf4222 read-package-tree@5.2.1 (@zkat)

v6.0.0-0 (2018-03-23):

Sometimes major releases are a big splash, sometimes they're something smaller. This is the latter kind. That said, we expect to keep this in release candidate status until Node 10 ships at the end of April. There will likely be a few more features for the 6.0.0 release line between now and then. We do expect to have a bigger one later this year though, so keep an eye out for npm@7!

BREAKING AVOID DEPRECATED

When selecting versions to install, we now avoid deprecated versions if possible. For example:

Module: example
Versions:
1.0.0
1.1.0
1.1.2
1.1.3 (deprecated)
1.2.0 (latest)

If you ask npm to install example@~1.1.0, npm will now give you 1.1.2.

By contrast, if you installed example@~1.1.3 then you'd get 1.1.3, as it's the only version that can match the range.

78bebc0ce #20151 Skip deprecated versions when possible. (@zkat)

BREAKING UPDATE AND OUTDATED

When npm install is finding a version to install, it first checks to see if the specifier you requested matches the latest tag. If it doesn't, then it looks for the highest version that does. This means you can do release candidates on tags other than latest and users won't see them unless they ask for them. Promoting them is as easy as setting the latest tag to point at them.

Historically npm update and npm outdated worked differently. They just looked for the most recent thing that matched the semver range, disregarding the latest tag. We're changing it to match npm install's behavior.

3aaa6ef42 Make update and outdated respect latest interaction with semver as install does. (@iarna)
e5fbbd2c9 npm-pick-manifest@2.1.0 (@iarna)

PLUS ONE SMALLER PATCH

Technically this is a bug fix, but the change in behavior is enough of an edge case that I held off on bringing it in until a major version.

When we extract a binary and it starts with a shebang (or "hash bang"), that is, something like:

#!/usr/bin/env node

If the file has Windows line endings we strip them off of the first line. The reason for this is that shebangs are only used in Unix-like environments and the files with them can't be run if the shebang has a Windows line ending.

Previously we converted ALL line endings from Windows to Unix. With this patch we only convert the line with the shebang. (Node.js works just fine with either set of line endings.)

814658371 7265198eb bin-links@1.1.2: Only rewrite the CR after a shebang (if any) when fixing up CR/LFs. (@iarna)

BREAKING SUPPORTED NODE VERSIONS

Per our supported Node.js policy, we're dropping support for both Node 4 and Node 7, which are no longer supported by the Node.js project.

077cbe917 Drop support for Node 4 and Node 7. (@iarna)

DEPENDENCIES

478fbe2d0 iferr@1.0.0
b18d88178 query-string@6.0.0
e02fa7497 is-cidr@2.0.5
c8f8564be 311e55512 standard@11.0.1