Changelog

v7.24.2 (2021-10-04)

BUG FIXES

• 56d6cfdc0 #3804 encode url before opening (@isaacs)
• 075fe5056 #3799 restore exit code on "npm outdated" (@gfyoung)
• dbb90f799 #3809 use Intl.Collator for string sorting when available (@isaacs)

DEPENDENCIES

• 69ab10bbf is-core-module@2.7.0
• e94ddeaca @npmcli/arborist@2.9.0:
  • fix: avoid infinite loops in peer dep replacements
  • fix: use Intl.Collator for string sorting when available
  • feat(vuln): expose isDirect

DOCUMENTATION

• f425950a6 #3805 remove npm Enterprise from documentation (@ethomson)
• bb0b2da6c #3699 fix(docs): add note about workspace script order (@behnammodi)

v7.24.1 (2021-09-23)

DEPENDENCIES

• 1be8d41e6 socks-proxy-agent@6.1.0:
  • feat: allow passing tls connection options
• eafd55eae glob@7.2.0

DOCS

• dae5ce305 #3784 docs: document special meaning of registry.npmjs.com (@everett1992)

v7.24.0 (2021-09-16)

FEATURES

• c7787b3fb 1fbbe1e04 bundled npm-install-checks (@wraithgar)

BUG FIXES

• 0320bd77e #3739 fix(view): Show the correct publish date for versions selected by range (@andersk)
• e4a521857 #3748 fix(install.sh): don't remove old npm first (@wraithgar)
• b4aac345b #3754 fix(config): user-agent properly shows ci (@wraithgar)
• b807cd62e #3738 fix(search): return valid json for no results (@AyushRawal)
• 2def17a3b #3760 fix(install): use configured registry when checking manifest (@yacoman89)
• ca792acdd #3761 fix(logs): clean args for failed commands (@wraithgar)

DEPENDENCIES

• 59743972c #3747 fix(did-you-mean): succeed if cwd is not a package (@wraithgar)
• ac8e4ad18 init-package-json@2.0.5:
  • fix: bin script path
• 371655a6b minipass@3.1.5:
  • fix: re-emit 'error' event if missed and new listener added
  • fix: do not blow up if process is missing

DOCUMENTATION

• 4d93b484a #3759 fix(docs): use correct hyperlink to package-json (@nategreen)

v7.23.0 (2021-09-09)

FEATURES

• 6c12500ae #3731 feat(install): very strict global npm engines (@wraithgar)

BUG FIXES

• 1ad093824 #3732 fix(error-message): clean urls from 404 error (@wraithgar)

DOCUMENTATION

• 64f7d1a55 #3727 docs(contributing): add note on changes to tooling (@darcyclarke)
• eda9162f2 #3715 Add --if-present flag documentation to workspaces (@Matsuuu)

v7.22.0 (2021-09-02)

BUG FIXES

• 6f431fe23 #3690 Fix one “see also” link (@tripu)

DEPENDENCIES

• 033e948c9 read-package-json@4.1.1:
  • feat: add types lookup
  • fix(man): don't lose relative man path
• 1fa549db0 @npmcli/config@2.3.0:
  • feat: export npm_config_local_prefix and npm_config_global_prefix to the environment
• e91578d10 minpass-fetch@1.4.1:
  • Made rejectUnauthorized depend on NODE_TLS_REJECT_UNAUTHORIZED
• 6125db545 are-we-there-yet@1.1.6
• 0dcda73b0 string_decoder@1.3.0
• 4b913417c npmlog@5.0.1
• 876c755eb @npmcli/arborist@2.8.3:
  • fix: do not fail adding unresolvable optional dep

v7.21.1 (2021-08-26)

BUG FIXES

• 4e52217cb #3684 fix(config): respect --global, --package-lock-only (@nlf)

DEPENDENCIES

• e3878536f make-fetch-happen@9.1.0:
  • fix: use the same strictSSL default as tls.connect
• 145f70cc1 read-package-json@4.0.1:
  • fix: Add gitHead in subdirectories too
  • fix(man): don't resolve paths to man files
• 3f4d37143 tar@6.1.11:
  • fix: perf regression on hot string munging path
• e63a942c6 cacache@15.3.0:
  • feat: introduce @npmcli/fs for tmp dir methods

DOCUMENTATION

• 957fa6040 #3681 clarify uninstall lifecycle script (@fritzy)

v7.21.0 (2021-08-19)

FEATURES

• ff34d6cd6 #3592 feat(cache): initial implementation of ls and rm (@fritzy)

BUG FIXES

• 32e88c943 #3640 fix(did-you-mean): switch levenshtein libraries (@wraithgar)
• 487731cd5 #3658 fix(logging): sanitize logged argv (@wraithgar)
• 68a19bb02 #3661 fix(error-message): look for er.path not er.file (@wraithgar)

DEPENDENCIES

• df57f0d53 @npmcli/run-script@1.8.6
• 8183976cf normalize-package-data@3.0.3:
  • fix: account for "licence" as spelling variant
• f07772401 init-package-json@2.0.4
• 991a3bd39 read-package-json@4.0.0
• e9e5ee560 @npmcli/arborist@2.8.2:
  • fix: treat top-level global packages as "top" nodes
  • fix: load global symlinks implicitly as file: deps
  • fix(reify): debug crash when extracting into symlink
  • fix: node_modules must be a directory
  • fix: make Node.children() a case-insensitive Map
  • fix(reify): verify existing deps in nm are dirs
• b6f40b5f8 tar@6.1.10:
  • fix: prune dirCache properly for unicode, windows
  • fix: reserve paths properly for unicode, windows
  • fix: prevent path escape using drive-relative paths
  • fix: drop dirCache for symlink on all platforms
• 218cacadc is-core-module@2.6.0
• 7ac621cd1 smart-buffer@4.2.0
• 94f92de13 make-fetch-happen@9.0.5
• 71cdfd898 spdx-license-ids@3.0.10:
  • update license list to v3.14

DOCUMENTATION

• ff6626ab6 #3630 fix(docs): update npm-publish access flag info (@austincho)

v7.20.6 (2021-08-12)

DEPENDENCIES

• 5bebf280f tar@6.1.8
  • fix: reserve paths case-insensitively
• 5d89de44d tar@6.1.7:
  • fix: normalize paths on Windows systems
• a1bdbea97 #3569
  • remove byte-size (@wraithgar)
• 61782fa85 @npmcli/map-workspaces@1.0.4:
  • fix: better error message for duplicate workspace names
• b88f770fa @npmcli/arborist@2.8.1:
  • [#3632] Fix "cannot read property path of null" error in 'npm dedupe'
  • fix(shrinkwrap): always set name on the root node

DOCUMENTATION

• 001f2c1b7 #3621 fix(docs): do not include certain files (@AkiJoey)
• d1812f1a6 #3630 fix(docs): update npm-publish access flag info (@austincho)
• d5a099c7b #3615 fix(readme): add nvm-windows to installers links (@Yash-Singh1)

v7.20.5 (2021-08-05)

DEPENDENCIES

• 44377738e graceful-fs@4.2.8
  • fix: start retrying immediately, stop after 60 seconds

v7.20.4 (2021-08-05)

BUG FIXES

• 6a8086e25 #3463 fix(tests): move more tests to use real npm (@wraithgar)

DEPENDENCIES

• 15fae4941 tar@6.1.6:
  • fix: properly handle top-level files when using strip
  • Avoid an unlikely but theoretically possible redos
  • WriteEntry backpressure
  • fix(unpack): always resume parsing after an entry error
  • fix(unpack): fix hang on large file on open() fail
  • fix: properly prefix hard links
• 745326de0 libnpmexec@2.0.1:
  • Clear progress bar which overlays confirm prompt
• e82bcd4e8 graceful-fs@4.2.7:
  • fix: start retrying immediately, stop after 10 attempts

v7.20.3 (2021-07-29)

BUG FIXES

• 66dc5f94d #3588 update eresolve explanations for new arborist data provided
• 99575acab #3591 fix(node_modules): remove duplicated file (@wraithgar)

DEPENDENCIES

• 97cb5ec31 @npmcli/arborist@2.8.0:
  • Refactor ideal tree building to handle more complicated peerDependencies use cases.
  • Do not modify ideal tree while checking if a peerSet can be placed.
• 7db1a0a26 chore(deps): mime-types@1.49.0 mime-db@1.49.0

v7.20.2 (2021-07-27)

DEPENDENCIES

• f5aab1f88 tar@6.1.1
  • fix: strip absolute paths more comprehensively
• ce8fb0f69 tar@6.1.2
  • fix: Remove paths from dirCache when no longer dirs
• ced85087a gauge@3.0.1
  • add missing dependency to package.json

v7.20.1 (2021-07-22)

BUG FIXES

• 009ad1e68 #3561 fix(exit-handler): always warn if not called (@wraithgar)
• eb67054c8 #3563 fix(config): consolidate use of npm.color (@wraithgar)

DOCUMENTATION

• a014f3d28 #3562 fix(docs): typo in npm cmd docs (@wraithgar)
• 1fe1c9b74 #3523 fix(docs): updated policy urls (@DemiraDimitrova)

DEPENDENCIES

• d7f29e8c9 read-package-json-fast@2.0.3:
  • feat: load directories.bin as a bin object
• b1fefa73d npmlog@5.0.0
  • Drop support for node 6 and 8
• b6e09971a remove ignored files from node_modules ([@Ruy Adorno](https://github.com/Ruy Adorno))
• cf737c505 debug@4.3.2

v7.20.0 (2021-07-15)

FEATURES

• f17aca5cd #3487 feat: add npm pkg command (@ruyadorno)
• 98905ae37 #3471 feat(config): introduce location parameter (@nlf)

BUG FIXES

• 4755b0728 #3498 friendlier errors for ERR_SOCKET_TIMEOUT (@nlf)
• 3ecf19cdc #3508 fix(config): fix noproxy (@wraithgar)
• c3bd10e46 #3499 fix(update-notifier): don't force black background (@wraithgar)
• 89483e888 #3497 fix(usage): better audit/boolean flag usage output (@wraithgar)
• feeb8e42a #3495 fix(publish): obey --ignore-scripts flag (@wraithgar)
• 103c8c3ef #3479 chore(exit): log any un-ended timings (@wraithgar)
• efc4313c2 #3482 chore(refactor): refactor exit handler and tests (@wraithgar)
• d8eb49b70 #3540 fix(bundle-and-ignore): case sensitivity cleanup (@wraithgar)

DOCUMENTATION

• 339145f64 #3491 fix(docs): clarify what install type gets .bin (@wraithgar)
• 74c99755e #3494 fix(docs): add npm update example (@wraithgar)
• 801a52330 #3542 fix(docs): correct Node.js JavaScript stylings (@relrelb)
• 791416713 #3546 fix(docs): how to see background script output (@cinderblock)

DEPENDENCIES

• 691816f3d @npmcli/arborist@2.7.1
  • fixes running prepare scripts for workspaces on reify
  • ensure pacote always compares correct integrity values
• b9597e944 make-fetch-happen@9.0.4
  • fix: retry socket timeout failures
  • fix: clean up invalid indexes and content after cacache read errors
• f573e7c56 minipass-fetch@1.3.4
  • fix: correctly handle error events that happen after response events
• 2d5797ea0 pacote@11.3.5
  • fix: show more actionable messages for git pathspec errors
  • fix: include all dep types when building for prepare
  • fix: do not set mtime when unpacking

v7.19.1 (2021-07-01)

BUG FIXES

• 013f0262d #3469 fix(exitHandler): write code to logfile (@wraithgar)

• 0dd0341ac #3474 fix(ping): make "npm ping" echo a right time (@aluneed)

• d2e298f3c #3484 fix(deprecate): add undeprecate support (@wraithgar)

  DOCUMENTATION

• 9dd32d08e #3485 fix(docs): remove npm package config override (@wraithgar)

• a4e095618 #3486 fix(docs): remove .hooks scripts (@wraithgar)

TESTING

• 5f8ccccef #3483 chore(tests): clean snapshot for lib/view.js tests (@wraithgar)

v7.19.0 (2021-06-24)

FEATURES

• 23ce3af19 #3460 feat(ls): report why something is invalid (@isaacs)

BUG FIXES

• 53f81af31 #3450 fix(docs): Improve phrasing of workspace example (@lumaxis)
• 78da60ffe #3454 chore(linting): add bin and clean up lib/ls.js
• 54eae3063 #3416 chore(errorHandler): rename to exit handler (@wraithgar)
• d0f50b156 #3451 chore(refactor): async npm.load (@wraithgar)
• 87f67d9ef #3458 chore(tests): expose real mock npm object (@wraithgar)
• f3dce0917 #3459 chore(config): snapshot config descriptions (@wraithgar)
• 6254b6f72 #3234 #3455 @npmcli/package-json refactor (@ruyadorno)

DEPENDENCIES

• fe4138381 @npmcli/arborist@2.6.4:
  • bin: allow turning off timer display with --timers=false
  • fix: do not try to inflate a fresh lockfile
  • fix(diff): walk target children if root is a link
  • chore: @npmcli/package-json refactor

v7.18.1 (2021-06-17)

BUG FIXES

• fce30e423 #3435 fix(docs): rebuild config docs (@wraithgar)

v7.18.0 (2021-06-17)

FEATURES

• ae285b391 #3408 feat(ls): support --package-lock-only flag (@G-Rath)
• c984fb59c #3420 feat(pack): add pack-destination config (@wraithgar)

BUG FIXES

• 40829ec40 #2554 #3399 fix(link): do not prune packages (@ruyadorno)
• 102d4e6fb #3417 fix(workspaces): explicitly error in global mode (@wraithgar)
• 993df3041 #3423 fix(docs): ls command usage instructions (@gurdiga)
• dcc13662c #3418 fix(config): update link definition (@wraithgar)
• b19e56c2e #3382 #3429 fix(ls): respect prod config for workspaces (@ruyadorno)
• c99b8b53c #3430 fix(config): add flatOptions.npxCache (@wraithgar)
• e5abf2a21 #3386 chore(libnpmdiff): added as workspace (@ruyadorno)
• c6a8734d7 #3388 chore(refactor): finish passing npm context (@wraithgar)
• d16ee452a #3426 chore(tests): use path.resolve (@wraithgar)

DEPENDENCIES

• 6b951c042 libnpmversion@1.2.1:
  • fix(retrieve-tag): pass match in a way git accepts
• de820a021 npm-package-arg@8.1.5:
  • fix: Make file: URLs (mostly) RFC 8909 compliant
• 16a95c647 @npmcli/arborist@2.6.3:
  • fix(inventory) handle old and british forms of 'license'
  • fix: removes [_complete] check to apply correct metadata
  • ensure node.fsParent is not set to node itself
  • fix extraneous deps on load-actual
• d341bd86c make-fetch-happen@9.0.3:
  • fix: implement cache modes correctly
• c90612cf5 libnpmexec@2.0.0:
  • use new npxCache option

v7.17.0 (2021-06-10)

FEATURES

• ef668ab57 #3368 feat(diff): add workspace support (@wraithgar)

BUG FIXES

• 26d00c477 #3364 fix(tests): mock writeFile in pack tests so we dont create 0 byte files in the repo (@nlf)
• f130a81d6 #3367 fix(linting): add scripts, docs, smoke-tests (@wraithgar)
• 992799cd8 #3383 fix(login): properly save scope if defined (@wraithgar)

DOCUMENTATION

• 844229519 #3392 docs(workspaces): update using npm section Added examples of using npm init to bootstrap a new workspace and a section on how to add/manage dependencies to workspaces. (@ruyadorno)

DEPENDENCIES

• 3654890fb remove ignored dep (@nlf)
• a4a0e68a9 #3362 check less stuff into node_modules (@isaacs)
• 7d5b049b6 #3365 chore(package) Use a "files" list (@isaacs)

v7.16.0 (2021-06-03)

FEATURES

• e92b5f2ba npm-registry-fetch@11.0.0
  • feat: improved logging of cache status

BUG FIXES

• e864bd3ce #3345 fix(update-notifier): do not update notify when installing npm@spec (@isaacs)
• aafe23572 #3348 fix(update-notifier): parallelize check for updates (@isaacs)

DOCUMENTATION

• bc9c57dda #3353 fix(docs): remove documentation for '--scripts-prepend-node-path' as it was removed in npm@7 (@gimli01)
• ca2822110 #3360 fix(docs): link foreground-scripts w/ loglevel (@wraithgar)
• fb630b5a9 #3342 chore(docs): manage docs as a workspace (@ruyadorno)

DEPENDENCIES

• 54de5c6a4 npm-package-arg@8.1.4:
  • fix: trim whitespace from fetchSpec
  • fix: handle file: when root directory begins with a special character
• e92b5f2ba make-fetch-happen@9.0.1
  • breaking: complete refactor of caching. drops warning headers, prevents cache indexes from growing for every request, correctly handles varied requests to the same url, and now caches redirects.
  • fix: support url-encoded proxy authorization
  • fix: do not lazy-load proxy agents or agentkeepalive. fixes the intermittent failures to update npm on slower connections. npm-registry-fetch@11.0.0
  • breaking: drop handling of deprecated warning headers
  • docs: fix header type for npm-command
  • docs: update registry param
  • feat: improved logging of cache status
• 23c50a45f make-fetch-happen@9.0.2:
  • fix: work around negotiator's lazy loading

AUTOMATION

• c4ef78b08 #3344 fix(automation): update incorrect variable name in create-cli-deps-pr workflow (@gimli01)

v7.15.1 (2021-05-31)

BUG FIXES

• 598a17a26 #3329 fix(libnpmexec): don't detach output from npm (@wraithgar)

DEPENDENCIES

• c4fc03e9e @npmcli/arborist@2.6.1
  • fixes reifying deps with mismatching version ranges between actual and virtual trees
• 9159fa62a libnpmexec@1.2.0

v7.15.0 (2021-05-27)

FEATURES

• 399ff8cbc #3312 feat(link): add workspace support (@isaacs)

BUG FIXES

• 46a9bcbcb #3282 fix(docs): proper postinstall script file name (@KevinFCormier)
• 83590d40f #3272 fix(ls): show relative paths from root (@isaacs)
• a574b518a #3304 fix(completion): restore IFS even if npm completion returns error (@NariyasuHeseri)
• 554e8a5cd #3311 set audit exit code properly (@isaacs)
• 4a4fbe33c #3268 #3285 fix(publish): skip private workspaces (@ruyadorno)

DOCUMENTATION

• 3c53d631f #3307 fix(docs): typo in package-lock.json docs (@rethab)
• 96367f93f rebuild npm-pack doc (@isaacs)
• 64b13dd10 #3313 Drop stale Python 3<->node-gyp remark (@spencerwilson)

DEPENDENCIES

• 7b56bfdf3 cacache@15.2.0:
  • feat: allow fully deleting indices
  • feat: add a validateEntry option to compact
  • chore: lint
  • chore: use standard npm style release scripts
• dbbc151a3 npm-audit-report@2.1.5:
  • fix(exit-code): account for null auditLevel default (#46)
• 5b2604507 chore(package-lock): update devDependencies (@Gar)

AUTOMATION

• 3d5df0082 #3294 chore(ci): move node release PR workflow to cli repo (@gimli01)

v7.14.0 (2021-05-20)

FEATURES

• 0d1a9d787 #3227 feat(install): add workspaces support to npm install commands (@isaacs)
• c18626f04 #3250 feat(ls): add workspaces support (@ruyadorno)
• 41099d395 #3265 feat(explain): add workspaces support (@ruyadorno)
• fde354669 #3251 feat(unpublish): add workspace/dry-run support (@wraithgar)
• 83df3666c #3260 feat(outdated): add workspaces support (@ruyadorno)
• 63a7635f7 #3217 feat(pack): add support to json config/output (@mrmlnc)

BUG FIXES

• faa12ccc2 #3253 fix search description typos (@juanpicado)
• 2f5c28a68 #3243 fix(docs): autogenerate config docs for commands (@isaacs)

DEPENDENCIES

• ec256a14a @npmcli/arborist@2.6.0
• 5f15aba86 cacache@15.1.0
• b3add87e6 #3262 npm-registry-client@10.1.2:
  • fixed sso login token

v7.13.0 (2021-05-13)

FEATURES

• 076420c14 #3231 feat(publish): add workspace support (@wraithgar)
• 370b36a36 #3241 feat(fund): add workspaces support (@ruyadorno)

DEPENDENCIES

• 0c18e4f77 @npmcli/arborist@2.5.0
• b551c6811 libnpmfund@1.1.0

v7.12.1 (2021-05-10)

BUG FIXES

• de49f58f5 #3216 fix(contributing): link to proper cli repo (@mrmlnc)
• 1d092144e #3203 fix(packages): locale-agnostic string sorting (@isaacs)
• 0696fca13 #3209 fix(view): fix non-registry specs (@wraithgar)
• 71ac93597 #3206 chore(github): Convert md issue template to yaml (@lukehefson)
• 6fb386d3b #3201 fix(tests): increase test fuzziness (@wraithgar)
• f3a662fcd #3211 fix(tests): use config defaults (@wraithgar)

DEPENDENCIES

• 285976fd1 @npmcli/arborist@2.4.4
  • fix(reify): properly save spec if prerelease
• f9f24d17c libnpmexec@1.1.1
  • fix(add): Specify 'en' locale to String.localeCompare
• cb9f17499 glob@7.1.7
  • force 'en' locale in string sorting
• 24b4e4a41 ignore-walk@3.0.4
  • Avoid locale-specific sorting issues
• 1eb7e5c7d @npmcli/arborist@2.4.3
  • guard against locale-specific sorting
• a6a826067 npm-packlist@2.2.2:
  • fix(sort): avoid locale-dependent sorting issues

v7.12.0 (2021-05-06)

FEATURES

• 701627c51 #3098 feat(cache): Allow add to accept multiple specs (@mjsir911)
• 59171f030 #3187 feat(config): add workspaces boolean to user-agent (@nlf)

BUG FIXES

• 2c9b8713c #3182 fix(docs): fix broken links (@wangsai)
• 88cbc8c44 #3198 fix(tests): reflect new libnpmexec logic

DEPENDENCIES

• d01ce5e13 libnpmexec@1.1.0:
  • feat: add walk up dir lookup to satisfy local bins
• 81c1dfaaa @npmcli/arborist@2.4.2:
  • fix(add): save packages in the right place
  • fix(reify): do not clean up nodes with no parent
  • fix(audit): support alias specs & root package names
• 87c2303ea @npmcli/git@2.0.9:
  • fix(clone): Do not allow git replacement objects by default
• 99ff40dff npm-packlist@2.2.0:
  • feat(npmignore): Do not force include history, changelogs, notice
  • fix(package.json): add missing bin/index.js to files

v7.11.2 (2021-04-29)

BUG FIXES

• c371f183e #3137 #3140 fix(ls): do not warn on missing optional deps (@isaacs)
• 861f606c7 #3156 fix(build): make prune rule work on case-sensitive file systems (@lpinca)

DEPENDENCIES

• fb79d89a0 tap@15.0.6
• ce3820043 @npmcli/arborist@2.4.1
  • fix: prevent and eliminate unnecessary duplicates
  • fix: support resolvable partial intersecting peerSets

DOCUMENTATION

• e479f1dac #3146 mention directories.bin in bin (@felipecrs)

v7.11.1 (2021-04-23)

DEPENDENCIES

• 7925cca24 pacote@11.3.3:
  • fix(registry): normalize manfest
• b61eac693 #3130 @npmcli/config@2.2.0
• c74e67fc6 #3130 npm-registry-fetch@10.1.1

DOCUMENTATION

• efdd7dd44 Remove unused and incorrectly documented --always-auth config definition (@isaacs)

v7.11.0 (2021-04-22)

FEATURES

• 4c1f16d2c #3095 feat(init): add workspaces support (@ruyadorno)

BUG FIXES

• 42ca59eee #3086 fix(ls): do not exit with error when all problems are extraneous deps (@nlf)
• 2aecec591 #2724 #3119 fix(ls): make --long work when missing deps (@ruyadorno)
• 42e0587a9 #3115 fix(pack): refuse to pack invalid packument (@wraithgar)
• 1c4eff7b5 #3126 fix(logout): use isBasicAuth attribute (@wraithgar)

DOCUMENTATION

• c93f1c39e #3101 chore(docs): update view docs (@wraithgar)
• c4ff4bc11 npm/statusboard#313 #3109 fix(usage): fix refs to ws shorthand (@ruyadorno)

DEPENDENCIES

• 83166ebcc npm-registry-fetch@10.1.0
  • feat(auth): set isBasicAuth
• e02bda6da npm-registry-fetch@10.0.0
  • feat(auth) load/send based on URI, not registry
• a0382deba @npmcli/run-script@1.8.5
  • fix: windows ComSpec env variable name
• 7f82ef5a8 pacote@11.3.2
• 35e49b94f @npmcli/arborist@2.4.0
• 95faf8ce6 libnpmaccess@4.0.2
• 17fffc0e4 libnpmhook@6.0.2
• 1b5a213aa libnpmorg@2.0.2
• 9f83e6484 libnpmpublish@4.0.1
• 251f788c5 libnpmsearch@3.1.1
• 35873a989 libnpmteam@2.0.3
• 23e12b4d8 npm-profile@5.0.3

v7.10.0 (2021-04-15)

FEATURES

• f9b639eb6 #3052 feat(bugs): fall back to email if provided (@Yash-Singh1)
• 8c9e24778 #3055 feat(version): add workspace support (@wraithgar)

DEPENDENCIES

• f1e6743a6 libnpmversion@1.2.0
  • feat(retrieve-tag): retrieve unannotated git tags
  • fix(retrieve-tag): use semver to look for semver
• 3b476a24c @npmcl/git@2.0.8
  • fix(git): do not use shell when calling git
• dfcd0c1e2 #3069 tap@15.0.2

DOCUMENTATION

• 90b61eda9 #3053 fix(contributing.md): explicitely outline dep updates (@darcyclarke)

v7.9.0 (2021-04-08)

FEATURES

• 1f3e88eba #3032 feat(dist-tag): add workspace support (@nlf)
• 6e31df4e7 #3033 feat(pack): add workspace support (@wraithgar)

DEPENDENCIES

• ba4f7fea8 licensee@8.2.0

v7.8.0 (2021-04-01)

FEATURES

• 8bcc5d73f #2972 feat(workspaces): add repo and docs (@wraithgar)
• ec520ce32 #2998 feat(set-script): implement workspaces
• 32717a60e #3001 feat(view): add workspace support (@wraithgar)
• 7b177e43f #3014 feat(config): add 'envExport' flag (@isaacs)

BUG FIXES

• 4c4252348 #3016 fix(usage): specify the key each time for multiples (@isaacs)
• 9237d375b #3013 fix(docs): add workspaces configuration (@wraithgar)
• cb6eb0d20 #3015 fix(ERESOLVE): better errors when current is missing (@isaacs)

DEPENDENCIES

• 61da39beb @npmcli/config@2.1.0
  • feat(config): add support for envExport:false
• fb095a708 @npmcli/arborist@2.3.0:
  • #2896 Provide currentEdge in ERESOLVE if known, and address self-linking edge case.
  • Add/remove dependencies to/from workspaces when set, not root project
  • Only reify the portions of the dependency graph identified by the workspace configuration value.
  • Do not recursively chown the project root path.

v7.7.6 (2021-03-29)

BUG FIXES

• 9dd2ed518 fix empty newline printed to stderr (@ruyadorno)
• 9d391462a #2973 fix spelling in workspaces.md file (@sethomas)
• 4b100249a #2979 change 'maxsockets' default value back to 15 (@wallrat)

DEPENDENCIES

• a28f89572 libnpmversion@1.1.0
  • fix reading script-shell config on npm version lifecycle scripts
• 03734c29e npm-packlist@2.1.5
  • fix packaging bundledDependencies
• 80ce2a019 @npmcli/metavuln-calculator@1.1.1
  • fix error auditing package documents with missing dependencies

v7.7.5 (2021-03-25)

BUG FIXES

• 95ba87622 #2949 fix handling manual indexes in npm help (@dmchurch)
• 59cf37962 #2958 always set npm.command to canonical command name (@isaacs)
• 1415b4bde #2964 fix(config): properly translate user-agent (@wraithgar)
• 59271936d #2965 fix(config): tie save-exact/save-prefix together (@wraithgar)

TESTS

• 97b415287 #2959 add smoke tests (@ruyadorno)

v7.7.4 (2021-03-24)

BUG FIXES

• 200bee74b #2951 fix(config): accept explicit production=false (@wraithgar)
• 7b45e9df6 #2950 warn if using workspaces config options in npm config (@ruyadorno)

v7.7.3 (2021-03-24)

BUG FIXES

• c76f04ac2 #2925 fix(set-script): add completion (@Yash-Singh1)
• 0379eab69 #2929 fix(install): ignore auditLevel npm install should not be affected by the auditLevel config, as the results of audit do not change its exit status. (@wraithgar)
• 98efadeb4 #2923 fix(audit-level): add info audit level This is a valid level but wasn't configured to be allowed. Also added this param to the usage output for npm audit (@wraithgar)
• e8d2adcf4 #2945 config should not error when workspaces are configured (@nlf)
• aba2bc623 #2944 fix(progress): re-add progress bar to reify The logger was no longer in flatOptions, we pass it in explicitly now (@wraithgar)
• 877b4ed29 #2946 fix(flatOptions): re-add _auth This was not being added to flatOptions, and things like npm-registry-fetch are looking for it. (@wraithgar)

v7.7.2 (2021-03-24)

BUG FIXES

• a4df2b98d #2942 Restore --dev flag, unify --omit flatteners (@isaacs)

DEPENDENCIES

• 2cbfaac0e hosted-git-info@4.0.2
  • #83 Do not parse urls for gitlab (@nlf)

v7.7.1 (2021-03-24)

BUG FIXES

• 543b0e39b #2930 fix(uninstall): use correct local prefix (@jameschensmith)
• dce4960ef #2932 fix(config): flatten savePrefix properly (@wraithgar)

v7.7.0 (2021-03-23)

FEATURES

• 33c4189f9 #2864 add npm run-script workspaces support (@ruyadorno)
• e1b3b318f #2886 add npm exec workspaces support (@ruyadorno)
• 41facf643 #2859 expanded "Did you mean?" suggestions for missing cmds and scripts (@wraithgar)

BUG FIXES

• 8cce4282f #2865 npm publish: handle case where multiple config list is present (@kenrick95)
• 6598bfe86 mark deprecated configs (@isaacs)
• 8a38afe77 #2881 docs(package-json): document default main behavior (@klausbayrhammer)
• 93a061d73 #2917 add action items to npm run error output (@wraithgar)

DOCUMENTATION

• ad65bd910 #2860 fix link in configuring-npm (@varmakarthik12)
• b419bfb02 #2876 fix test-coverage command in contributing guide (@chowkapow)

DEPENDENCIES

• 7b5606b93 @npmcli/arborist@2.2.9
  • #254 Honor explicit prefix when saving dependencies (@jameschensmith)
  • #255 Never save to bundleDependencies when saving a peer or peerOptional dependency. (@isaacs)
• f76e7c21f pacote@11.3.1
  • increases tarball compression level
• 4928512bc semver@7.3.5
  • fix handling prereleases/ANY ranges in subset
• 1924eb457 libnpmversion@1.0.12
  • fix removing undescored-prefixed package.json properties in npm version
• 916623056 @npmcli/run-script@1.8.4
  • fix expanding windows-style environment variables
• a8d0751e4 npm-pick-manifest@6.1.1
  • fix running packages with a single executable binary with npm exec
• af7eaac50 hosted-git-info@4.0.1
• f52c51db1 @npmcli/config@2.0.0

v7.6.3 (2021-03-11)

DOCUMENTATION

• 8c44e999b #2855 Correct "npm COMMAND help" to "npm help COMMAND" (@dwardu)

DEPENDENCIES

• 57ed390d6 @npmcli/arborist@2.2.8
  • Respect link deps when calculating peerDep sets

v7.6.2 (2021-03-09)

BUG FIXES

• e0a3a5218 #2831 Fix cb() never called in search with --json option (@fraqe)
• 85a8694dd #2795 fix(npm.output): make output go through npm.output (@wraithgar)
• 9fe0df5b5 #2821 fix(usage): clean up usage declarations (@wraithgar)

DEPENDENCIES

• 7f470b5c2 @npmcli/arborist@2.2.7
  • fix(install): Do not revert a file: dep to version on bare name re-install
• e9b7fc275 libnpmdiff@2.0.4
  • fix(diff): Gracefully handle packages with prepare script
• c7314aa62 byte-size@7.0.1
• 864f48d43 pacote@11.3.0

v7.6.1 (2021-03-04)

BUG FIXES

• 3c9a589b0 #2807 npm explain show when an edge is a bundled edge (@kumavis)
• b33c760ce #2766 unused arguments cleanup (@sandersn)
• 4a5dd3a5a #2772 fix(npm) pass npm context everywhere (@wraithgar)
• e69be2ac5 #2789 fix npm prefix on all Windows unix shells (@isaacs)
• 2d682e4ca #2803 fix(search): don't pass unused args (@wraithgar)
• b3e7dd19b #2822 fix(diff): set option "where" for pacote (@ruyadorno)
• 96006640b #2824 fix(repo, auth.sso): don't promisify open-url (@wraithgar)

DOCUMENTATION

• c8b73db82 #2690 fix(docs): update scripts docs (@wraithgar)
• 5d922394b #2809 update republish timeout after unpublish (@BAJ-)

DEPENDENCIES

• 2d4ae598f @npmcli/arborist@2.2.6

v7.6.0 (2021-02-25)

FEATURES

• 983d218f7 #2750 feat(explain): mark when dependency is bundled (@kumavis)

DEPENDENCIES

• b9fa7e32a chore(package-lock): resetdeps and eslint@7.20.0 (@wraithgar)
• 28d036ae9 arborist@2.2.5
  • fix: hidden lockfiles were not respected on Node v10.0-10.12

DOCUMENTATION

• ba1adef42 #2760 chore(docs): capitalize all Instaces of "package" (@MrBrain295)
• 8bfa05fa1 #2775 chore(docs): add navigation configuration (@ethomson)
• 238e474a4 #2778 chore(docs):update unpublish cooldown (@christoflemke)

v7.5.6 (2021-02-22)

BUG FIXES

• 4e58274ed #2742 Do not print error banner for shell proxy commands (@isaacs)

DOCS

• 3c72ab441 #2749 Capitalize Package in a Heading (@MrBrain295)

DEPENDENCIES

• f3ae6ed0d read-package-json@3.0.1, read-package-json-fast@2.0.2
• 9b311fe52 #2736 @npmcli/arborist@2.2.4:
  • Do not rely on underscore fields in package.json files
  • Do not remove global packages when updating by name
  • Keep yarn.lock and package-lock.json more in sync

v7.5.5 (2021-02-22)

BUG FIXES

• 49c95375a #2688 fix shrinkwrap in node v10.0 (@ljharb)
• 00afa3161 #2718 restore the prefix on output from npm version <inc> (@nlf)
• 69e0c4e8c #2716 throw an error when trying to dedupe in global mode (@nlf)
• b018eb842 #2719 obey silent loglevel in run-script (@wraithgar)

DEPENDENCIES

• 8c36697df @npmcli/arborist@2.2.3
  • #1875 arborist#230 Set default advisory severity/vulnerable_range when missing from audit endpoint data (@isaacs)
  • npm/arborist#231 skip optional deps with mismatched platform or engine (@nlf)
  • #2251 Unpack shrinkwrapped deps not already unpacked (@isaacs, @nlf)
  • #2714 Do not write package.json if nothing changed (@isaacs)
  • npm/rfcs#324 Prefer peer over prod dep, if both specified (@isaacs)
  • npm/arborist#236 Fix additional peerOptional conflict cases (@isaacs)
• d865b101f libnpmpack@2.0.1
  • respect silent loglevel
• e606953e5 libnpmversion@1.0.11
  • respect silent loglevel
• 9c51005a1 npm-package-arg@8.1.1
  • do a better job of detecting git specifiers like git@github.com:npm/cli
• 8b6bf0db4 pacote@11.2.7
  • respect silent loglevel
  • fix INVALID_URL errors for certain git dependencies

TESTS

• 80c2ac995 #2717 refactor publish tests (@wraithgar)
• 9d81e0ceb #2729 fix typo in shrinkwrap tests (@eltociear)

DOCUMENTATION

• e3de7befb #2685 docs(readme): add note back about branding/origin (@darcyclarke)
• 38d87e7c2 #2698 mention nodenv in README.md (@RA80533)
• af4422cdb #2711 validate that the docs can be parsed by mdx (@ethomson)

v7.5.4 (2021-02-12)

BUG FIXES

• ef687f545 #2655 fix(env): Do not clobber defined 'env' script (@isaacs)
• 868954a72 #2654 [fix] node v10.0 lacks fs.promises (@ljharb)

DEPENDENCIES

• 14dd93853 fix(package.json): resetdeps (@wraithgar)
• 39e4a6401 graceful-fs@4.2.6
• 96dffab98 eslint-plugin-promise@4.3.1
• 9a6e9d38a @npmcli/run-script@1.8.3
  • fix fs.promises reference to run in node v10.0
• 584b746a2 @npmcli/git@2.0.5
• 6305ebde4 make-fetch-happen@8.0.14
• e99881117 libnpmversion@1.0.10
• 554d91cdf chore(package-lock): rebuild package-lock (@wraithgar)
• 37e8cc507 @npmcli/arborist@2.2.2
  • #2505 properly install dependenciess of linked dependencies (@ruyadorno)
  • #2504 Allow --force to override conflicted optional peerDependencies (@isaacs)
  • Ensure correct flags on shrinkwrapped module deps (@isaacs)
  • Correct relative paths for global packages installed from tarball files (nlf)
• 7788ce47b @npmcli/map-workspaces@1.0.3

TESTS

• 3a159d27e #2681 fix(tests): rewrite doctor tests (@ljharb)
• abcc96a20 #2682 [tests] separate tests from linting and license validation (@ljharb)

DOCUMENTATION

• 7e1e84181 #2662 fix(docs): fix angle brackets in npm diff docs (@ethomson)

v7.5.3 (2021-02-08)

BUG FIXES

• df596bf4c fix(publish): follow all configs for registry auth check #2602 (@wraithgar)
• 6d7afb03c #2613 install script: pass -q to curl calls to disable user .curlrc files (@nlf)

DEPENDENCIES

• 3294fed6f pacote@11.2.5
  • prevent infinite recursion in git dep preparation
• 0f7a3a87c read-package-json-fast@2.0.1
  • avoid duplicating optionalDependencies as dependencies in package.json
• 6f46b0f7f init-package-json@2.0.2
• df4f65acc @npmcli/arborist@2.2.0
• 7038c2ff4 @npmcli/run-script@1.8.2
• 54cd4c87a libnpmversion@1.0.8
• 9ab36aae4 graceful-fs@4.2.5
• e1822cf27 @npmcli/installed-package-contents@1.0.7

v7.5.2 (2021-02-02)

BUG FIXES

• 37613e4e6 #2395 #2329 fix(exec): use latest version when possible (@wraithgar)
• 567c9bd03 fix(lib/npm): do not clobber config.execPath (@wraithgar)

DEPENDENCIES

• 643709706 @npmcli/config@1.2.9 (@isaacs)
  • 4c6be4a Restore npm v6 behavior with INIT_CWD
  • bbebc66 Do not set the PREFIX environment variable

v7.5.1 (2021-02-01

BUG FIXES

• 0ea134e41 #2587 pass all settings through to pacote.packument, fixes #2060 (@nlf)
• 8c5ca2f51 Add test for npm-usage.js, and fix 'npm --long' output (@isaacs)

DEPENDENCIES

• 7e4e88e93 @npmcli/arborist@2.1.1, pacote@11.2.4
  • Properly raise ERESOLVE errors on root dev dependencies
  • Ignore ERESOLVE errors when performing git dep 'prepare' scripts
  • Always reinstall packages that are explicitly requested
  • fix global update all so it actually updates things
  • Install bins properly when global root is a link (@isaacs)

DOCUMENTATION

• 23dac2fef #2557 npm team revamp (@ruyadorno)
• dd05ba0c0 #2572 add note about --force overriding peer dependencies (@isaacs)
• e27639780 #2584 Fixed the spelling of contributor as it was written as conributor (@pavanbellamkonda)
• 13a5e3178 #2502 elaborate that npm help uses browser (@ariccio)

v7.5.0 (2021-01-28)

FEATURES

• d011266b7 #1319 add npm diff command (@ruyadorno)

BUG FIXES

• d2f8af2da #2445 publish: don't complain about missing auth until after registry is chosen (@dr-js)

DOCUMENTATION

• 8d3fd63aa #2559 updates to readme, removal, contributing and several other docs (@darcyclarke)
• 7772d9f9f #2542 fix grammar on caching docs for search, exec and init (@wraithgar)
• 52e8a1aef #2558 refreshed npm updated docs (@ruyadorno)
• abae00ca0 #2565 update npm command docs (@wraithgar)
• 9351cbf9a #2566 refresh npm run-script docs (@ruyadorno)

DEPENDENCIES

• 56c08863e hosted-git-info@3.0.8
• 18a93f06b ssri@8.0.1
• cb768f671 @npmcli/move-file@1.1.1
• 32cc0a4be minipass-fetch@1.3.3
  • fixes ssl settings passthrough
• 530997968 @npmcli/arborist@2.1.0
  • added signal handler to rollback when possible
  • prevent ERESOLVEs caused by loose root dep specs
  • detect conflicts among nested peerOptional deps
  • properly buildIdealTree when root is a symlink

v7.4.3 (2021-01-21)

DOCUMENTATION

• ec1f06d06 #2498 docs(npm): update npm docs (@darcyclarke)

DEPENDENCIES

• bc23284cd #2511 remove coverage files (@ruyadorno)
• fcbc676b8 pacote@11.2.3
• ebd3a24ff @npmcli/arborist@2.0.6
  • Preserve git+https auth when provided

v7.4.2 (2021-01-15)

DEPENDENCIES

• e5ce6bbba
  • @npmcli/arborist@2.0.5
    • fix creating missing dirs when using --prefix and --global
    • fix omit types of deps in global installs
    • fix prioritizing npm-shrinkwrap.json over package-lock.json
    • better cache system for packuments
    • improves audit performance

v7.4.1 (2021-01-14)

BUG FIXES

• 23df96d33 #2486 npm link no longer deletes entire project when global prefix is a symlink (@nlf)

DOCUMENTATION

• 7dd0dfc59 #2459 fix(docs): clean up npm start docs (@wraithgar)
• 307b3bd9f #2460 fix(docs): clean up npm stop docs (@wraithgar)
• 23f01b739 #2462 fix(docs): clean up npm test docs (@wraithgar)
• 4b43656fc #2463 fix(docs): clean up npm prefix docs (@wraithgar)
• 1135539ba a07bb8e69 9b55b798e cd5eeaaa0 6df69ce10 dc6b2a8b0 a3c127446 #2464 fix(docs): clean up npm uninstall docs (@wraithgar)
• cfdcf32fd #2474 fix(docs): clean up npm unpublish docs (@wraithgar)
• acd5b062a #2475 fix(docs): update package-lock.json docs (@isaacs)
• b0b0edf6d #2482 fix(docs): clean up npm token docs (@wraithgar)
• 35559201a #2487 fix(docs): clean up npm search docs (@wraithgar)

DEPENDENCIES

• ea8c02169 @npmcli/arborist@2.0.5
• fb6f2c313 pacote@11.2.1
• c549b7657 make-fetch-happen@8.0.13

v7.4.0 (2021-01-07)

FEATURES

• 47ed2dfd8 #2456 add --foreground-scripts option (@isaacs)

BUG FIXES

• d01746a5a #2444 #1103 Remove deprecated process.umask() (@isaacs)
• b2e2edf8a #2422 npm publish --dry-run should not check login status (@buyan302)
• 99156df80 #2448 #2425 pass extra arguments directly to run-script as an array (@nlf)
• 907b34b2e #2455 fix(ci): pay attention to --ignore-scripts (@wraithgar)

DEPENDENCIES

• 7a49fd4af tar@6.1.0, pacote@11.1.14
• 54a7bd16c @npmcli/arborist@2.0.3

DOCUMENTATION

• a390d7456 #2440 Updated the url for RFC 19 so that it isn't a 404. (@therealjeffg)
• e02b46ad7 #2436 Grammatical Fix in npm-ls Documentation 'Therefore' is spelled 'Therefor' (@marsonya)
• 0fed44dea #2417 Fix npm bug reporting url (@AkiaCode)

7.3.0 (2020-12-18)

FEATURES

• a9b8bf263 #2362 Support multiple set/get/deletes in npm config (@isaacs)

BUG FIXES

• 9eef63849 Pass full set of options to login helper functions. This fixes npm login --no-strict-ssl, as well as a host of other options that one might want to set while logging in. Reported by: @toddself (@isaacs)
• 628a554bc #2358 fix doctor test to work correctly for node pre-release versions (@nlf)
• be4a0900b #2360 raise an error early if publishing without login, registry (@isaacs)
• 44d433105 #2366 Include prerelease versions when deprecating (@tiegz)
• cba3341da #2373 npm profile refactor (@ruyadorno)
• 7539504e3 #2382 remove the metrics sender (@nlf)

DOCS

• b98569a8c add note about INIT_CWD to run-script doc
• 292929279 #2368 Revert bug-reporting links to GH. Re: https://blog.npmjs.org/post/188841555980/updates-to-community-docs-more (@tiegz)
• f4560626f update ISSUE_TEMPLATE with modern links (@isaacs)
• bc1c567ed update npm command doc feature request links (@isaacs)
• 0ad958fe1 #2381 (docs,test): assorted typo fixes (@XhmikosR)

TESTING

• a92d310b7 #2361 Add max-len to lint rules (@Edu93Jer)

DEPENDENCIES

• 4fc2f3e05 #2300 @npmcli/config@1.2.8:
  • Support setting email without username/password

7.2.0 (2020-12-15)

FEATURES

• a9c4b158c #2342 allow npm rebuild to accept a path to a module (@nlf)

DEPENDENCIES

• beb371800 #2334 remove unused top level dep tough-cookie (@darcyclarke)
• d45e181d1 #2335 ini@2.0.0, @npmcli/config@1.2.7 (@isaacs)
• ef4b18b5a #2309 @npmcli/arborist@2.0.2
  • properly remove deps when no lockfile and package.json is present
• c6c013e6e readdir-scoped-modules@1.1.0
• a1a2134aa remove unused sorted-object dep (@nlf)
• 85c2a2d31 #2344 remove editor dependency (@nlf)

TESTING

• 3a6dd511c npm edit (@nlf)
• 3ba5de4e7 #2347 npm help-search (@nlf)
• 6caf19f49 #2348 npm help (@nlf)
• cb5847e32 #2349 npm hook (@nlf)
• 996a2f6b1 #2353 npm org (@nlf)
• 8c67c38a4 #2354 npm set (@nlf)

7.1.2 (2020-12-11)

DEPENDENCIES

• c3ba1daf7 #2033 @npmcli/config@1.2.6:
  • Set INIT_CWD to initial current working directory
  • Set NODE to initial process.execPath
• 8029608b9 json-parse-even-better-errors@2.3.1
• 0233818e6 #2332 treeverse@1.0.4
• e401d6bb3 ini@1.3.8
• 011bb1220 #2320 @npmcli/arborist@2.0.1:
  • Do not save with ^ and no version

BUGFIXES

• 244c2069f #2325 npm search include/exclude (@ruyadorno)
• d825e901e #1905 #2316 run install scripts for root project
• 315449142 #2331 #2021 Set NODE_ENV=production if 'dev' is on the omit list (@isaacs)

TESTING

• c243e3b9d #2313 tests: completion (@nlf)
• 7ff6efbb8 #2314 npm team (@ruyadorno)
• 7a4f0c96c #2323 npm doctor (@nlf)

DOCUMENTATION

• e340cf64b #2330 explain through run-script (@isaacs)

7.1.1 (2020-12-08)

DEPENDENCIES

• bf09e719c @npmcli/arborist@2.0.0
  • Much stricter tree integrity guarantees
  • Fix issues where the root project is a symlink, or linked as a workspace
• 7ceb5b728 ini@1.3.6
• 77c6ced2a make-fetch-happen@8.0.11
  • Avoid caching headers that are hazardous or unnecessary to leave lying around (authorization, npm-session, etc.)
  • #38 Include query string in cache key (@jpb)
• 0ef25b6cd libnpmsearch@3.1.0:
  • Update to accept query params as options, so we can paginate. (@nlf)
• 518a66450 @npmcli/config@1.2.4:
  • Do not allow path options to be set to a boolean false value
• 3d7aff9d8 update all dependencies using latest npm to install them

TESTS

• 2848f5940 npm/statusboard#173 #2293 npm shrinkwrap (@ruyadorno)
• f6824459a #2302 npm deprecate (@nlf)
• b7d74b627 npm/statusboard#180 #2304 npm unpublish (@ruyadorno)

FEATURES

• 3db90d944 #2303 allow for passing object keys to searchopts to allow pagination (@nlf)

7.1.0 (2020-12-04)

FEATURES

• 6b1575110 #2237 add npm set-script command (@Yash-Singh1)
• 15d7333f8 add interactive npm exec (@isaacs)

BUG FIXES

• 2a1192e4b #2202 Do not run interactive npm exec in CI when a TTY (@isaacs)

DOCUMENTATION

• 0599cc37d #2271 don't wrap code block (@ethomson)

DEPENDENCIES

• def85c726 @npmcli/arborist@1.0.14
  • fixes running npm exec from file system root folder
• 4c94673ab semver@7.3.4

7.0.15 (2020-11-27)

DEPENDENCIES

• 00e6028ef @npmcli/arborist@1.0.13
  • do not override user-defined shorthand values when saving package.json

BUG FIXES

• 9c3413fbc #2034 #2245 npm link <pkg> should not save package.json (@ruyadorno)

DOCUMENTATION

• 1875347f9 #2196 remove doc on obsolete unsafe-perm flag (@kaizhu256)
• f51e50603 #2200 config.md cleanup (@alexwoollam)
• 997cbdb40 #2238 Fix broken link to package.json documentation (@d-fischer)
• 9da972dc4 #2241 npm star docs cleanup (@ruyadorno)

7.0.14 (2020-11-23)

DEPENDENCIES

• 09d21ab90 @npmcli/run-script@1.8.1
  • fix a regression in how scripts are escaped

7.0.13 (2020-11-20)

BUG FIXES

• 5fc56b6db npm/statusboard#174 #2204 fix npm unstar command (@ruyadorno)
• 7842b4d4d npm/statusboard#182 #2205 fix npm version usage output (@ruyadorno)
• a0adbf9f8 #2206 #2213 fix: fix flatOptions usage in npm init (@ruyadorno)

DEPENDENCIES

• 3daaf000a @npmcli/arborist@1.0.12
  • fixes some windows specific bugs in how paths are handled and compared

DOCUMENTATION

• 084a7b6ad #2210 docs: Fix typo (@HollowMan6)

7.0.12 (2020-11-17)

BUG FIXES

• 7b89576bd #2174 fix running empty scripts with npm run-script (@nlf)
• bc9afb195 #2002 #2184 Preserve builtin conf when installing npm globally (@isaacs)

DEPENDENCIES

• b74c05d88 @npmcli/run-script@1.8.0
  • fix windows command-line argument escaping

DOCUMENTATION

• 4e522fdc9 #2179 remove mention to --parseable option from npm audit docs (@Primajin)

7.0.11 (2020-11-13)

DEPENDENCIES

• 629a667a9 eslint@7.13.0
• de9891bd2 eslint-plugin-standard@4.1.0
• c3e7aa31c #2123 #1957 @npmcli/arborist@1.0.11

BUG FIXES

• a8aa38513 #2134 #2156 Fix cannot read property length of undefined in ERESOLVE explanation code (@isaacs)
• 1dbf0f9bb #2150 #2155 send json errors to stderr, not stdout (@isaacs)
• fd1d7a21b #1927 #2154 Set process.title a bit more usefully (@isaacs)
• 2a80c67ef #2008 #2153 Support legacy auth tokens for registries that use them (@ruyadorno)
• 786e36404 #2017 #2159 pass all options to Arborist for npm ci (@darcyclarke)
• b47ada7d1 #2161 fixed typo (@scarabedore)

7.0.10 (2020-11-10)

DOCUMENTATION

• e48badb03 #2148 Fix link in documentation (@gurdiga)

BUG FIXES

• 8edbbdc70 #1972 Support exec auto pick bin when all bin is alias (@dr-js)

DEPENDENCIES

• 04a3e8c10 #1962 @npmcli/arborist@1.0.10:
  • prevent self-assignment of parent/fsParent
  • Support update options in global package space

7.0.9 (2020-11-06)

BUG FIXES

• 96a0d2802 default the 'start' script when server.js present (@isaacs)
• 7716e423e #2075 #2071 print the registry when using 'npm login' (@Wicked7000)
• 7046fe10c #2122 tests for npm cache command (@nlf)

DEPENDENCIES

• 74325f53b #2124 @npmcli/run-script@1.7.5:
  • Export the isServerPackage method
  • Proxy signals to and from foreground child processes
• 0e58e6f6b #1984 #2079 #1923 #606 #2031 @npmcli/arborist@1.0.9:
  • Process deps for all link nodes
  • Use junctions instead of symlinks
  • Use @npmcli/move-file instead of fs.rename
• 1dad328a1 #1865 #2106 #2084 pacote@11.1.13:
  • Properly set the installation command for prepare scripts when installing git/dir deps
• e090d706c #2097 libnpmversion@1.0.7:
  • Do not crash when the package.json file lacks a 'version' field
• 8fa541a10 cmark-gfm@0.8.4

7.0.8 (2020-11-03)

DOCUMENTATION

• 052e977b9 #1822 #1247 add section on peerDependenciesMeta field in package.json (@foxxyz)
• 52d32d175 #1970 match npm-exec.md -p usage with lib/exec.js (@dr-js)
• 48ee8d01e #2096 Fix RFC links in changelog (@jtojnar)

BUG FIXES

• 6cd3cd08a Support all conf keys in publishConfig
• a1f9be8a7 #2074 Support publishing any kind of spec, not just directories

DEPENDENCIES

• 545382df6 libnpmpublish@4.0.0:
  • Support publishing things other than folders
• 7d88f1719 npm-registry-fetch@9.0.0
• 823b40a4e pacote@11.1.12
• 90bf57826 npm-profile@5.0.2
• e5a413577 libnpmteam@2.0.2
• fc5aa7b4a libnpmsearch@3.0.1
• 9fc1dee13 libnpmorg@2.0.1
• 0ea870ec5 libnpmhook@6.0.1
• 32fd744ea libnpmaccess@4.0.1
• fc76f3d9f @npmcli/arborist@1.0.8
  • Fix cannot read property 'description' of undefined in npm ls when package-lock.json is corrupted
  • Do not allow peerDependencies to be nested under dependents in any circumstances
  • Always resolve peerDependencies in --prefer-dedupe mode

7.0.7 (2020-10-30)

BUG FIXES

• 3990b422d #2067 use sh as default unix shell, not bash (@isaacs)
• 81d6ceef6 #1975 fix npm exec on folders missing package.json (@ruyadorno)
• 2a680e91a #2083 delete the contents of node_modules only in npm ci (@nlf)
• 2636fe1f4 #2086 disable banner output if loglevel is silent in npm run-script (@macno)

DEPENDENCIES

• 4156f053e @npmcli/run-script@1.7.4
  • restore the default npm start script
• 1900ae9ad @npmcli/promise-spawn@1.3.2
  • fix errors when processing scripts as root
• 8cb0c166c @npmcli/arborist@1.0.6
  • make sure missing bin links get set on reify

7.0.6 (2020-10-27)

BUG FIXES

• 46c7f792a #2047 #1935 skip the prompt when in a known ci environment (@nlf)
• f8f6e1fad #2049 properly remove pycache in release script (@MylesBorins)
• 5db95b393 #2050 pack: do not show individual files of bundled deps (@isaacs)
• 3ee8f3b34 #2051 view: Better errors when package.json is not JSON (@isaacs)

DEPENDENCIES

• 99ae633f6 libnpmversion@1.0.6
  • respect gitTagVersion = false
• d4173f58d @npmcli/promise-spawn@1.3.1
  • do not return empty buffer when stdio is inherited
  • attach child process to returned promise
• c09380fa5 @npmcli/run-script@1.7.3
  • forward SIGINT and SIGTERM to children that inherit stdio
• b154861ad @npmcli/arborist@1.0.5
• ffea6596b agent-base@6.0.2
  • support http proxy for https registries

7.0.5 (2020-10-23)

• 77ad86b5e Merge docs deps with main project

7.0.4 (2020-10-23)

DOCUMENTATION

• cc026daf8 docs: npm-dedupe through npm-install
• aec77acf8 #1915 use "dockhand" for faster static documentation generation (@ethomson)
• aeb10d210 #2024 Fix post-install script name (@irajtaghlidi)

BUG FIXES

• 59e8dd6c6 #2015 #2016 Properly set npm_command environment variable.

TESTS

• 39ad1ad9e #2001 npm config tests (@ruyadorno)
• b9c1caa8e #2026 npm owner test and refactor (@ruyadorno)

DEPENDENCIES

• ed6e6a9d3 eslint-plugin-standard@4.0.2

• b737ee999 #2009 #2007 npm-packlist@2.1.4:

  • Maintain order in package.json files array globs
  • Strip slashes from package files list results

• 783965508 #1997 #2000 #2005 @npmcli/arborist@1.0.4

  • Ensure that root is added when root.meta is set
  • Include all edges in explain() output when a root edge exists
  • Do not conflict on meta-peers that will not be replaced
  • Install peerOptionals if explicitly requested, or dev

7.0.3 (2020-10-20)

BUG FIXES

• ce4724a38 #1986 check result when determining exit code of ls <filter> (@G-Rath)
• 00d926f8d #1987 don't suppress run output when --silent is passed (@G-Rath)
• 043da2347 improve cache clear error message (@isaacs)

DOCUMENTATION

• a57f5c466 update docs for: access, adduser, audit, bin, bugs, build, cache, ci, completion, config and dedupe (@isaacs)
• 5b88b72b9 remove the long-gone bundle command (@isaacs)
• ae09aa5c1 #1993 document --save-peer as a common option to npm install (@JakeChampion)
• c9993e6b1 #1982 fix url links for init-package-json/node-semver (@takenspc)

DEPENDENCIES

• 5d9df8395 node-gyp@7.1.2

7.0.2 (2020-10-16)

DOCUMENTATION

• 9476734b7 #1967 add mention to workspaces prepare lifecycle (@ruyadorno)

BUG FIXES

• 5cf71c689 #1971 owner rm at local pkg not work (@ShangguanQuail)

DEPENDENCIES

• 722b7ae63 #1974 patch node-gyp (@targos)
• 4ae825c01 #1976 patch node-gyp (@MylesBorins)
• 181eabf13 @npmcli/arborist@1.0.3
  • fix workspaces prepare lifecycle scripts
  • fix peer deps overchecks resulting in ERESOLVE
• 6cc115409 init-package-json@2.0.1
• dbf9d6d1f libnpmpublish@3.0.2

7.0.1 (2020-10-15)

DOCUMENTATION

• 03fca6a3b Adds docs on workspaces, explaining its basic concept and how to use it. (@ruyadorno)

BUG FIXES

• 2ccb63659 #1951 #1956 Handle errors from audit endpoint appropriately (@isaacs)

DEPENDENCIES

• 120e62736 node-gyp@7.1.1
• 6560b8d95 @npmcli/arborist@1.0.2
  • do not drop scope information when fetching scoped package tarballs
  • fix cycles/ordering resolution when peer deps require nesting
• 282a1e008 npm-user-validate@1.0.1
• b259edcb4 hosted-git-info@3.0.7

v7.0.0 (2020-10-12)

BUG FIXES

• 7bcdb3636 #1949 fix: ensure publishConfig is passed through (@nlf)
• 97978462e fix: patch config.js to remove duplicate vals (@darcyclarke)

DOCUMENTATION

• 60769d757 #1911 docs: v7 npm-install refresh (@ruyadorno)
• 08de49042 #1938 docs: v7 using npm config updates (@ruyadorno)

DEPENDENCIES

• 15366a1cf npm-registry-fetch@8.1.5
• f04a74140 init-package-json@2.0.0
  • 1de21dce0 fix: support dot-separated aliases defined in a .npmrc ini files for init-* configs (@ruyadorno)
• a67275cd9 eslint@7.11.0
• 6fb83b78d hosted-git-info@3.0.6
• 1ca30cc9b libnpmfund@1.0.0
• 28a2d2ba4 @npmcli/arborist@1.0.0
  • npm/rfcs#239 Improve handling of conflicting peerDependencies in transitive dependencies, so that --force will always accept a best effort override, and --strict-peer-deps will fail faster on conflicts.
• 9306c6833 libnpmfund@1.0.1
• fafb348ef npm-package-arg@8.1.0
• 365f2e756 read-package-json@3.0.0

v7.0.0-rc.4 (2020-10-09)

• 09b456f2d @npmcli/config@1.2.1
  • #1919 exposes npm_config_user_agent env variable (@nlf)
• e859fba9e #1936 fix npx for non-interactive shells (@nlf)
• 9320b8e4f #1906 restore old npx behavior of running existing bins first (@nlf)
• 7bd47ca2c @npmcli/arborist@0.0.33
  • fixed handling of invalid package.json file
• 02737453b make-fetch-happen@8.0.10
  • do not calculate integrity values of http errors

v7.0.0-rc.3 (2020-10-06)

• d816c2efa c8f0d5457 d48086d0d f34595f2e #1902 tests for several commands (@nlf)
• 6d49207db #1903 Revert "Remove unused npx binary" (@MylesBorins)
• 138dfc202 set executable permissions on bins that node installer uses
• b06d68078 @npmcli/arborist@0.0.32
  • Do not remove node_modules folders from Workspaces when loadActual races with buildIdealTree (@ruyadorno)
• 2509e3a1b uuid@8.3.1

v7.0.0-rc.2 (2020-10-02)

• 6de81a013 @npmcli/run-script@1.7.2
  • Fix regression running 'install' scripts when package.json does not contain a scripts object

v7.0.0-rc.1 (2020-10-02)

• 281a7f39a @npmcli/arborist@0.0.31
  • Allow npm update to update bundled root dependencies
  • Only do implicit node-gyp build for gyp files named binding.gyp
• 384f5ec47 update minipass-fetch to fix many 'cb() never called' errors
• 7b1e75906 @npmcli/run-script@1.7.1
  • Only do implicit node-gyp build for gyp files named binding.gyp
• c20e2f0c7 #1892 Support --omit options in npm outdated

v7.0.0-rc.0 (2020-10-01)

• 3b417055c #1859 fix proxy and https-proxy config support (@badeggg)
• dd7d7a284 @npmcli/arborist@0.0.30
  • #1849 Do not drop peer/dev dep while saving if both set
  • Do not install or build if there is a global top bin conflict
  • Default to building node-gyp dependencies
• 40c17e12c cli-table3@0.6.0
• 47a8ca1d7 byte-size@7.0.0
• 81073f99a eslint@7.10.0
• 67793abd4 eslint-plugin-import@2.22.1
• a27e8d006 is-cidr@4.0.2
• 893fed45e marked-man@0.7.0
• bc20e0c8a rimraf@3.0.2
• a2b8fd3c1 uuid@8.3.0
• ee4c85b87 write-file-atomic@3.0.3
• 4bdad5fdf bin-links@2.2.1
• c394937ec @npmcli/run-script@1.7.0
  • Default to building node-gyp dependencies and projects
• remove many unused dependencies (@ruyadorno)
  • 558e9781a deep-equal
  • 2aa9a1f8a request
  • d77594e52 npm-registry-couchapp
  • 8ec84d9f6 tacks
  • a07b421f7 lincesee
  • 41126e165 npm-cache-filename
  • 130da51b5 npm-registry-mock
  • b355af486 sprintf-js
  • 721c0a873 uid-number
  • 9c920e5f5 umask
  • aae1c38bb config-chain
  • 450845eac find-npm-prefix
  • 963d542d3 has-unicode
  • cad9cbc70 infer-owner
  • 3ae02914d lockfile
  • 7bc474d7c once
  • 5c5e0099a retry
  • cfaddd334 sha
  • 3a978ffc7 slide

v7.0.0-beta.13 (2020-09-29)

• 405e051f7 Fix EBADPLATFORM error message (@#1876)
• e4d911d21 @npmcli/arborist@0.0.28
  • fix: workspaces install entering an infinite loop
  • Save provided range if not a subset of savePrefix
  • package-lock.json custom indentation
  • Check engine and platform when building ideal tree
• 90550b2e0 #1853 test coverage and refactor for token command (@nlf)
• 2715220c9 #1858 #1813 do not include omitted optional dependencies in install output (@ruyadorno)
• e225ddcf8 #1862 #1861 respect depth when running npm ls <pkg> (@ruyadorno)
• 2469ae515 #1870 #1780 Add 'fetch-timeout' config (@isaacs)
• 52114b75e #1871 fix npm ls for linked dependencies (@ruyadorno)
• 9981211c0 #1857 #1703 fix npm outdated parsing invalid specs (@ruyadorno)

v7.0.0-beta.12 (2020-09-22)

• 24f3a5448 #1811 npm ci should never save package.json or lockfile (@isaacs)
• 5e780a5f0 remove unused spec parameter, assign error code (@nlf)
• f019a248a Remove unused npx binary (@isaacs)
• db157b3ce @npmcli/arborist@0.0.27
  • Resolve race condition with conflicting bin links in local installs
  • #1812 Log engine mismatches more usefully
  • #1814 Do not loop trying to resolve dependencies that fail to load
  • npm/rfcs#224 Do not automatically install optional peer dependencies
  • Add the strictPeerDeps option, defaulting to false
  • fix forwarding configs to resolve pkg spec when adding new deps
• b3a50d275 #1846 @npmcli/run-script@1.6.0
  • This updates node-gyp to v7, allowing us to deduplicate a lot of significant dependencies.
• a1d375f6b #1819 Add --strict-peer-deps option (@isaacs)
• 5837a4843 #1699 Use allow/deny list in docs (@luciomartinez)

v7.0.0-beta.11 (2020-09-16)

• 63005f4a9 #1639 npm view should not output extra newline (@MylesBorins)
• 3743a42c8 #1750 add outdated tests (@claudiahdz)
• 2019abdf1 #1786 add lib/link.js tests (@ruyadorno)
• 2f8d11968 @npmcli/arborist@0.0.25
  • add meta vulnerability calculator for faster audits
  • changed parsing specs to be relative to cwd
  • fix logging script execution
  • fix properly following resolved symlinks
  • fix package.json dependencies order
• 49b2bf5a7 @npmcli/config@1.1.8
  • fix unknown envs to be passed through
  • fix setting correct globalPrefix on load
• f9aac351d libnpmversion@1.0.5
  • fix git ignored lockfiles

v7.0.0-beta.10 (2020-09-08)

• 7418970f0 Improve output of dependency node explanations
• 5e49bdaa3 #1776 Add 'npm explain' command

v7.0.0-beta.9 (2020-09-04)

• ef8f5676b #1757 view: always fetch fullMetadata, and preferOnline

• ac5aa709a #1758 fix scope config

• a36e2537f outdated: don't throw on non-version/tag/range dep

• 371f0f062 @npmcli/arborist@0.0.20

  • Provide explanation objects for ERESOLVE errors
  • Support overriding certain classes of ERESOLVE errors with --force
  • Detect changes to package.json requiring package-lock dependency flag re-evaluation

• 2a4e2e9ef #1761 Explain ERESOLVE errors

• 8e3e83bd4 @npmcli/arborist@0.0.21

  • Remove bin links on prune
  • Remove unnecessary tree walk for workspace projects
  • Install workspaces on update:true

• d6b134fd9 #1738 #1734 fix package spec parsing during cache add process (@mjeanroy)

• f105eb833 npm-audit-report@2.1.4:

  • Do not crash on cyclical meta-vulnerability references

• 03a9f569b opener@1.5.2

• 5616a23b4 @npmcli/git@2.0.4

  • Support .git files, so that git worktrees are respected

v7.0.0-beta.8 (2020-09-01)

• 834e62a0e
  • fix: npm ls extraneous workspaces
  • @npmcli/arborist@0.0.19
• 758b02358 #1739 add full install options to npm exec (@ruyadorno)
• 2ee7c8a98 @npmcli/config@1.1.7 (@ruyadorno)

v7.0.0-beta.7 (2020-08-25)

• b38f68acd ensure npm-command HTTP header is sent properly
• 9f200abb9 Properly exit with error status code
• aa0152b58 #1719 Detect CI properly
• 50f9740ca #1717 fund with multiple funding sources (@ruyadorno)
• 3a63ecb6f #1718 RFC-0029 add ability to skip pre/post hooks to npm run-script by using --ignore-scripts (@ruyadorno)

v7.0.0-beta.6 (2020-08-21)

• 707207bdd add @npmcli/config dependency

• 5cb9a1d4d #1688 use @npmcli/config for configuration (@isaacs)

• a4295f5db npm-registry-fetch@8.1.4:

  • Redact passwords from HTTP logs

• a5a6a516d json-parse-even-better-errors@2.3.0:

  • Adds support for indentation/newline formatting preservation

• a14054558 read-package-json-fast@1.2.1:

  • Adds support for indentation/newline formatting preservation

• f8603c8af libnpmversion@1.0.4:

  • Adds support for indentation/newline formatting preservation

• 9891fa71c read-package-json@2.1.2:

  • Adds support for indentation/newline formatting preservation

• b44768aac #1662 #1693 #1690 @npmcli/arborist@0.0.17:

  • Load root project package.json when running loadVirtual.
  • Fetch metadata from registry when loading tree from outdated package-lock.json file. This avoids a situation where a lockfile or shrinkwrap from npm v5 would result in deleting dependencies on install.
  • Preserve package.json and package-lock.json formatting in all places where these files are written.

• 281da6fdc tar@6.0.5

• 1faa5b33d #1655 show usage when help-search finds no results

• 10fcff73a #1695 fix pulseWhileDone promise handling

• 88e4241c5 #1698 add lib/logout.js unit tests (@ruyadorno)

v7.0.0-beta.5 (2020-08-18)

• b718b0e28 #1657 display multiple versions when using --json with npm view (@claudiahdz)
• 9e7cc42f6 #1071 migrate from meant to leven (@jamesgeorge007)
• 85027f40c #1664 refactor and add tests for npm adduser (@ruyadorno)
• 6e03e5583 #1672 refactor and add tests for npm audit (@claudiahdz)

v7.0.0-beta.4 (2020-08-11)

Replace some environment variables that were excluded. This implements the amendment to RFC0021.

• 631142f4a @npmcli/run-script@1.5.0
• da95386ae #1650 #1652 include booleans, skip already-set envs

v7.0.0-beta.3 (2020-08-10)

Bring back support for npm audit --production, fix a minor npm version annoyance, and track down a very serious issue where a project could be blown away when it matches a meta-dep in the tree.

• 5fb217701 #1641 @npmcli/arborist@0.0.15
• 3598fe1f2 @npmcli/arborist@0.0.16 Add support for npm audit --production
• 8ba2aeaee libnpmversion@1.0.3

v7.0.0-beta.2 (2020-08-07)

New notification style for updates, and a working doctor.

• cf2819210 #1622 Improve abbrevs for install and help
• d062b2c02 new npm-specific update-notifier implementation
• f6d468a3b update doctor command
• b8b4d77af #1638 Direct users to our GitHub issues instead of npm.community

v7.0.0-beta.1 (2020-08-05)

Fix some issues found in the beta pubish process, and initial attempts to use npm v7 with citgm.

• 2c305e8b7 output generated tarball filename
• 0808328c9 pack: set correct filename for scoped packages (@isaacs)
• cf27df035 @npmcli/arborist@0.0.14 (@isaacs)

v7.0.0-beta.0 (2020-08-04)

Major refactoring and overhaul of, well, pretty much everything. Almost all dependencies have been updated, many have been removed, and the entire Installer class is moved into @npmcli/arborist.

Some High-level Changes and Improvements

• You can install GitHub pull requests by adding #pull/<number> to the git url. So it'd be something like npm install github:user/project#pull/123 to install PR number 123 of the user/project git repo. You can of course also use this in dependencies, or anywhere else dependency specifiers are found.
• Initial Workspaces support is added. If you npm install in a project with a workspaces declaration, npm will install all your sub-projects' dependencies as well, and link everything up proper.
• npm exec is added, to run any arbitrary command as if it was an npm script. This is sort of like npx, which is also ported to use npm exec under the hood.
• npm audit output is tightened up, and prettified. Audit can also now fix a few more classes of problems, sends far less data over the wire, and doesn't place blame on the wrong maintainers. (Technically this is a breaking change if you depend on the specific audit output, but it's also a big improvement!)
• npm install got faster. Like a lot faster. "So fast you'll think it's broken" faster. npm ls got even fasterer. A lot of stuff sped up, is what we're saying.
• Support has been dropped for Node.js versions less than v10.

On the "Breaking" in "Breaking Changes"

The Semantic Versioning specification precisely defines what constitutes a "breaking" change. In a nutshell, it's any change that causes a you to change your code in order to start using our code. We hasten to point this out, because a "breaking change" does not mean that something about the update is "broken", necessarily.

We're sure that some things likely are broken in this beta, because beta software, and a healthy pessimism about things. But nothing is "broken" on purpose here, and if you find a bug, we'd love for you to let us know.

Known Issues, and What's Missing From This Beta (Why Not GA?)

It's beta software!

Tests

We have not yet gotten to 100% test coverage of the npm CLI codebase. As such, there are almost certainly bugs lying in wait. We do have 100% test coverage of most of the commands, and all recently-updated dependencies in the npm stack, so it's certainly more well-tested than any version of npm before.

Docs

The documentation is incorrect and out of date in most places. Prior to a GA release, we'll be going through all of our documentation with a fine-toothed comb to minimize the lies that it tells.

Error Messaging

There are a few cases where this release will just say something failed, and not give you as much help as we'd like. We know, and we'll fix that prior to the GA 7.0.0 release.

In particular, if you install a project that has conflicting peerDependencies in the tree, it'll just say "Unable to resolve package tree". Prior to GA release, it'll tell you how to fix it. (For the time being, just run it again with --legacy-peer-deps, and that'll make it operate like npm v6.)

Audit Issue

There is a known performance issue in some cases that we've identified where npm audit can spin wildly out of control like a dancer gripped by a fever, heating up your laptop with fires of passion and CPU work. This happens when a vulnerability is in a tree with a lot of cross-linked dependencies that all depend on one another.

We have a fix for it, but if you run into this issue, you can run with --no-audit to tell npm to chill out a little bit.

That's about it! It's ready to use, and you should try it out.

Now on to the list of BREAKING CHANGES!

Programmatic Usage

• RFC 20 The CLI and its dependencies no longer use the figgy-pudding library for configs. Configuration is done using a flat plain old JavaScript object.
• The lib/fetch-package-metadata.js module is removed. Use pacote to fetch package metadata.
• @npmcli/arborist should be used to do most things programmatically involving dependency trees.
• The onload-script option is no longer supported.
• The log-stream option is no longer supported.
• npm.load() MUST be called with two arguments (the parsed cli options and a callback).
• npm.root alias for npm.dir removed.
• The package.json in npm now defines an exports field, making it no longer possible to require() npm's internal modules. (This was always a bad idea, but now it won't work.)

All Registry Interactions

The following affect all commands that contact the npm registry.

• referer header no longer sent
• npm-command header added

All Lifecycle Scripts

The environment for lifecycle scripts (eg, build scripts, npm test, etc.) has changed.

• RFC 21 Environment no longer includes npm_package_* fields, or npm_config_* fields for default configs. npm_package_json, npm_package_integrity, npm_package_resolved, and npm_command environment variables added.

  (NB: this will change a bit prior to a v7.0.0 GA release)

• RFC 22 Scripts run during the normal course of installation are silenced unless they exit in error (ie, with a signal or non-zero exit status code), and are for a non-optional dependency.

• RFC 24 PATH environment variable includes all node_modules/.bin folders, even if found outside of an existing node_modules folder hierarchy.

• The user, group, uid, gid, and unsafe-perms configurations are no longer relevant. When npm is run as root, scripts are always run with the effective uid and gid of the working directory owner.

• Commands that just run a single script (npm test, npm start, npm stop, and npm restart) will now run their script even if --ignore-scripts is set. Prior to the GA v7.0.0 release, they will not run the pre/post scripts, however. (So, it'll be possible to run npm test --ignore-scripts to run your test but not your linter, for example.)

npx

The npx binary was rewritten in npm v7, and the standalone npx package deprecated when v7.0.0 hits GA. npx uses the new npm exec command instead of a separate argument parser and install process, with some affordances to maintain backwards compatibility with the arguments it accepted in previous versions.

This resulted in some shifts in its functionality:

• Any npm config value may be provided.
• To prevent security and user-experience problems from mistyping package names, npx prompts before installing anything. Suppress this prompt with the -y or --yes option.
• The --no-install option is deprecated, and will be converted to --no.
• Shell fallback functionality is removed, as it is not advisable.
• The -p argument is a shorthand for --parseable in npm, but shorthand for --package in npx. This is maintained, but only for the npx executable. (Ie, running npm exec -p foo will be different from running npx -p foo.)
• The --ignore-existing option is removed. Locally installed bins are always present in the executed process PATH.
• The --npm option is removed. npx will always use the npm it ships with.
• The --node-arg and -n options are removed.
• The --always-spawn option is redundant, and thus removed.
• The --shell option is replaced with --script-shell, but maintained in the npx executable for backwards compatibility.

We do intend to continue supporting the npx that npm ships; just not the npm install -g npx library that is out in the wild today.

Files On Disk

• RFC 13 Installed package.json files no longer are mutated to include extra metadata. (This extra metadata is stored in the lockfile.)
• package-lock.json is updated to a newer format, using "lockfileVersion": 2. This format is backwards-compatible with npm CLI versions using "lockfileVersion": 1, but older npm clients will print a warning about the version mismatch.
• yarn.lock files used as source of package metadata and resolution guidance, if available. (Prior to v7, they were ignored.)

Dependency Resolution

These changes affect install, ci, install-test, install-ci-test, update, prune, dedupe, uninstall, link, and audit fix.

• RFC 25 peerDependencies are installed by default. This behavior can be disabled by setting the legacy-peer-deps configuration flag.

  BREAKING CHANGE: this can cause some packages to not be installable, if they have unresolveable peer dependency conflicts. While the correct solution is to fix the conflict, this was not forced upon users for several years, and some have come to rely on this lack of correctness. Use the --legacy-peer-deps config flag if impacted.

• RFC 23 Support for acceptDependencies is added. This can result in dependency resolutions that previous versions of npm will incorrectly flag as invalid.

• Git dependencies on known git hosts (GitHub, BitBucket, etc.) will always attempt to fetch package contents from the relevant tarball CDNs if possible, falling back to git+ssh for private packages. resolved value in package-lock.json will always reflect the git+ssh url value. Saved value in package.json dependencies will always reflect the canonical shorthand value.

• Support for the --link flag (to install a link to a globall-installed copy of a module if present, otherwise install locally) has been removed. Local installs are always local, and npm link <pkg> must be used explicitly if desired.

• Installing a dependency with the same name as the root project no longer requires --force. (That is, the ENOSELF error is removed.)

Workspaces

• RFC 26 First phase of workspaces support is added. This changes npm's behavior when a root project's package.json file contains a workspaces field.

npm update

• RFC 19 Update all dependencies when npm update is run without any arguments. As it is no longer relevant, --depth config flag removed from npm update.

npm outdated

• RFC 27 Remove --depth config from npm outdated. Only top-level dependencies are shown, unless --all config option is set.

npm adduser, npm login

• The --sso options are deprecated, and will print a warning.

npm audit

• Output and data structure is significantly refactored to call attention to issues, identify classes of fixes not previously available, and remove extraneous data not used for any purpose.

  BREAKING CHANGE: Any tools consuming the output of npm audit will almost certainly need to be updated, as this has changed significantly, both in the readable and --json output styles.

npm dedupe

• Performs a full dependency tree reification to disk. As a result, npm dedupe can cause missing or invalid packages to be installed or updated, though it will only do this if required by the stated dependency semantics.

• Note that the --prefer-dedupe flag has been added, so that you may install in a maximally deduplicated state from the outset.

npm fund

• Human readable output updated, reinstating depth level to the printed output.

npm ls

• Extraneous dependencies are listed based on their location in the node_modules tree.
• npm ls only prints the first level of dependencies by default. You can make it print more of the tree by using --depth=<n> to set a specific depth, or --all to print all of them.

npm pack, npm publish

• Generated gzipped tarballs no longer contain the zlib OS indicator. As a result, they are truly dependent only on the contents of the package, and fully reproducible. However, anyone relying on this byte to identify the operating system of a package's creation may no longer rely on it.

npm rebuild

• Runs package installation scripts as well as re-creating links to bins. Properly respects the --ignore-scripts and --bin-links=false configuration options.

npm build, npm unbuild

• These two internal commands were removed, as they are no longer needed.

npm test

• When no test is specified, will fail with missing script: test rather than injecting a synthetic echo 'Error: no test specified' test script into the package.json data.

Credits

Huge thanks to the people who wrote code for this update, as well as our group of dedicated Open RFC call participants. Your participation has contributed immeasurably to the quality and design of npm.

Edit this page on GitHub

9 contributorslukekarryswraithgarfritzynlfruyadornoisaacsdarcyclarkeXhmikosRjtojnar

Last edited by lukekarrys on October 4, 2021