This is a smallish release with a new config option and some bug fixes. And lots of module updates.
THIS IS BETA SOFTWARE. Yes, we're still reminding you of this. No,
you can't be excused. npm@3
will remain in beta until we're confident
that it's stable and have assessed the effect of the breaking changes on the
community. During that time we will still be doing npm@2
releases, with
npm@2
tagged as latest
and next
. We'll also be publishing new
releases of npm@3
as [email protected]
and [email protected]
alongside those
versions until we're ready to switch everyone over to npm@3
. We need your
help to find and fix its remaining bugs. It's a significant rewrite, so we
are sure there still significant bugs remaining. So do us a solid and
deploy it in non-critical CI environments and for day-to-day use, but maybe
don't use it for production maintenance or frontline continuous deployment
just yet.
-
b3ee452
#9038 We previously disabled the use of the newfs.access
API on Windows, but the bug we were seeing is fixed in [email protected] so we now usefs.access
if you're using that version or greater. (@iarna) -
b181fa3
#8921 #8637 Rejigger how we validate modules for install. This allow is to fix a problem where arch/os checking wasn't being done at all. It also made it easy to add back in a check that declines to install a module in itself unless you force it. (@iarna)
These are all development dependencies and semver-compatible subdep upgrades, so they should not have visible impact on users.
6b3f6d9
[email protected]f4e22e5
[email protected] (inside concat-stream)f130bfc
[email protected] (inside node-gyp's copy of glob)36c6a0d
[email protected]80df59c
[email protected]ea935d9
[email protected]3588a0c
[email protected]c6a8450
[email protected]a04925b
[email protected]ee7c095
[email protected]944fc34
[email protected]783dc7b
[email protected]acef0fe
[email protected]dfe959a
[email protected]a03bc76
[email protected]8a07d50
[email protected]7785e3f
[email protected]826fb35
[email protected]76030b3
[email protected]1a49ec6
[email protected]eebe47f
[email protected]09994d4
[email protected]b6f8dbf
[email protected]c67dd6b
[email protected]4add042
[email protected]e04993c
[email protected]2ed7da4
[email protected]ae08244
[email protected]e71410e
[email protected]67c13e0
[email protected]12ee041
[email protected]15564a6
[email protected]8733bff
[email protected]230943c
[email protected]26a4653
[email protected]3d27081
[email protected]9efa110
[email protected]
- As usual, we've ported all the npm@2 goodies in this week's v2.13.3 release.
It's pretty hard to outdo last week's release buuuuut~ I promise I'll have a treat when we release our shiny new Teams and Organizations feature! :D (Coming Soon™). It'll be a real gem.
That means it's a pretty low-key release this week. We got some nice documentation tweaks, a few bugfixes, and other such things, though!
Oh, and a bunch of version bumps. Thanks, semver
!
2fac6ae
#9012 A convenience for releases -- using the globally-installed npm before now was causing minor annoyances, so we just use the exact same npm we're releasing to build the new release. (@zkat)
There's a couple of doc updates! The last one might be interesting.
4cd3205
#9002 Updated docs to list the various files that npm automatically includes and excludes, regardless of settings. (@SimenB)cf09e75
#9022 Document the"access"
field in"publishConfig"
. Did you know you don't need to use--access=public
when publishing scoped packages?! Just put it in yourpackage.json
! Go refresh yourself on scopes packages by checking our docs on them. (@boennemann)bfd73da
#9013 fixed typo in changelog (@radarhere)
Basically, semver
is up to @5
, and that meant we needed to go in an update a
bunch of our dependencies manually. node-gyp
is still pending update, since
it's not ours, though!
9232e58
#8972[email protected]
(@othiym23)ba44f6b
#8972[email protected]
(@othiym23)3901d3c
#8972[email protected]
(@othiym23)ffcc7dd
#8972[email protected]
(@othiym23)7128f9e
#8972[email protected]
(@othiym23)af28911
#8972[email protected]
(@othiym23)3cc817a
#8972 node-gyp needs its own version of semver (@othiym23)f98eccc
#8972[email protected]
: Stop including browser builds. (@isaacs)
And some other version bumps for good measure.
254ecfb
#8990[email protected]
: Fixes an issue with documentation rendering where backticks in 2nd-level headers would break rendering (?!?!) (@steveklabnik)79efd79
[email protected]
: A pattern like'*.!(x).!(y)'
should not match a name like'a.xyz.yab'
. (@isaacs)39c7dc9
[email protected]
: A few bug fixes and doc updates. (@simov)72d3c3a
[email protected]
: Minor doc and dep updates (@isaacs)7513035
[email protected]
(@pgte)3d9aa82
Fixes this thing where Kat decided to savenock
as a regular dependency ;) (@othiym23)
Rebecca: So Kat, I hear this week's other release uses a dialog between us to explain what changed?
Kat: Well, you could say that…
Rebecca: I would! This week I fixed more npm@3 bugs!
Kat: That sounds familiar.
Rebecca: Eheheheh, well, before we look at those, a word from our sponsor…
THIS IS BETA SOFTWARE. Yes, we're still reminding you of this. No,
you can't be excused. npm@3
will remain in beta until we're confident
that it's stable and have assessed the effect of the breaking changes on the
community. During that time we will still be doing npm@2
releases, with
npm@2
tagged as latest
and next
. We'll also be publishing new
releases of npm@3
as [email protected]
and [email protected]
alongside those
versions until we're ready to switch everyone over to npm@3
. We need your
help to find and fix its remaining bugs. It's a significant rewrite, so we
are sure there still significant bugs remaining. So do us a solid and
deploy it in non-critical CI environments and for day-to-day use, but maybe
don't use it for production maintenance or frontline continuous deployment
just yet.
Rebecca: Ok, enough of the dialoguing, that's Kat's schtick. But do remember kids, betas hide in dark hallways waiting to break your stuff, stuff like…
-
6d69ec9
#8967 Removing a module linked into your globals would result in having all of its subdeps removed. Since the npm release process does exactly this, it burned me -every- -single- -week-. =D While we're here, we also removed extraneous warns that used to spill out when you'd remove a symlink. (@iarna) -
fdb360f
#8874 Linking scoped modules was failing outright, but this fixes that and updates our tests so we don't do it again. (@iarna)
9fafb18
#8701 npm@3 introduced permissions checks that run before it actually tries to do something. This saves you from having an install fail half way through. We did this using the shiny newfs.access
function available innode 0.12
andio.js
, with fallback options for older nodes. Unfortunately the way we implemented the fallback caused racey problems for Windows systems. This fixes that by ensuring we only ever run any one check on a directory once. BUT it turns out there are bugs infs.access
on Windows. So this ALSO just disables the use offs.access
on Windows entirely until that settles out. (@iarna)
5656baa
[email protected]
: Better handle terminal resizes while printing the progress bar (@iarna)
- Check out Kat's super-fresh release notes for v2.13.2 and see all the changes we ported from npm@2.
Kat: Hooray! Full team again, and we've got a pretty small patch release this week, about everyone's favorite recurring issue: git URLs!
Rebecca: No Way! Again?
Kat: The ride never ends! In the meantime, there's some fun, exciting work in the background to get orgs and teams out the door. Keep an eye out for news. :)
Rebecca: And make sure to keep an eye out for patches for the super-fresh
npm@3
!
Rebecca: So what's this about another git URL issue?
Kat: Welp, I apparently broke backwards-compatibility on what are actually
invalid git+https
URLs! So I'm making it work, but we're gonna deprecate URLs
that look like git+https://user@host:path/is/here
.
Rebecca: What should we use instead?!
Kat: Just do me a solid and use git+ssh://user@host:path/here
or
git+https://user@host/absolute/https/path
instead!
769f06e
Updated tests forgetResolved
so the URLs are run throughnormalize-git-url
. (@zkat)edbae68
#8881 Added tests to verify thatgit+https:
URLs are handled compatibly. (@zkat)
bad4e014
#8924 Make sure documented default values inlib/cache.js
properly correspond to current code. (@watilde)e7a11fd
#8036 Clarify the documentation for.npmrc
to clarify that it's not read at the project level when doing global installs. (@espadrine)
Kat: That's it for npm core changes!
Rebecca: Great! Let's look at the fresh new dependencies, then!
Kat: See you all next week!
Both: Stay Freeesh~
(some cat form of Forrest can be seen snoring in the corner)
bfa1f45
[email protected]
: Fixes url normalization such thatgit+https:
accepts scp syntax, but get converted into absolute-pathhttps:
URLs. Also fixes scp syntax so you can have absolute paths after the:
([email protected]:/some/absolute/place.git
) (@zkat)6f757d2
[email protected]
: Better handling of ENOTSUP (@isaacs)0920819
[email protected]
: Fixes an issue with long paths on Win32 (@TooTallNate)
So, v3.1.1
managed to actually break installing local modules. And then
immediately after I drove to an island for the weekend. 😁 So let's get
this fixed outside the usual release train!
Fortunately it didn't break installing global modules and so you could swap it out for another version at least.
THIS IS BETA SOFTWARE. Yes, we're still reminding you of this. No,
you can't be excused. npm@3
will remain in beta until we're confident
that it's stable and have assessed the effect of the breaking changes on the
community. During that time we will still be doing npm@2
releases, with
npm@2
tagged as latest
and next
. We'll also be publishing new
releases of npm@3
as [email protected]
and [email protected]
alongside those
versions until we're ready to switch everyone over to npm@3
. We need your
help to find and fix its remaining bugs. It's a significant rewrite, so we
are sure there still significant bugs remaining. So do us a solid and
deploy it in non-critical CI environments and for day-to-day use, but maybe
don't use it for production maintenance or frontline continuous deployment
just yet.
Rebecca's up too late writing tests, so you can have npm@3 bug fixes! Lots of great new issues from you all! ❤️️ Keep it up!
THIS IS BETA SOFTWARE. Yes, we're still reminding you of this. No,
you can't be excused. npm@3
will remain in beta until we're confident
that it's stable and have assessed the effect of the breaking changes on the
community. During that time we will still be doing npm@2
releases, with
npm@2
tagged as latest
and next
. We'll also be publishing new
releases of npm@3
as [email protected]
and [email protected]
alongside those
versions until we're ready to switch everyone over to npm@3
. We need your
help to find and fix its remaining bugs. It's a significant rewrite, so we
are sure there still significant bugs remaining. So do us a solid and
deploy it in non-critical CI environments and for day-to-day use, but maybe
don't use it for production maintenance or frontline continuous deployment
just yet.
9badfd6
#8608 Make global installs and uninstalls MUCH faster by only reading the directories of modules referred to by arguments. (@iarna075a5f0
#8660 Failed optional deps would still result in the optional deps own dependencies being installed. We now find them and fail them out of the tree. (@iarnac9fbbb5
#8863 The "no compatible version found" error message was including only the version requested, not the name of the package we wanted. Ooops! (@iarna32e6bbd
#8806 The "uninstall" lifecycle was being run after all of a module's dependencies has been removed. This reverses that order-- this means "uninstall" lifecycles can make use of the package's dependencies. (@iarna
- Check out the v2.13.1 release notes and see all the changes we ported from npm@2.
But Forrest's still kinda on vacation, and not just mentally, because he's hanging out with the fine meatbags at CascadiaFest. Enjoy this small bug release.
40981f2
#8862 Make the lifecycle's safety check work with scoped packages. (@tcort)5125856
#8855 Make dependency versions of"*"
match"latest"
when all versions are prerelease. (@iarna)22fdc1d
Visually emphasize the correct way to write lifecycle scripts. (@josh-egan)
413c3ac
Use npm's2.x
branch for testing its2.x
branch. (@iarna)7602f64
Don't prompt for GnuPG passphrase in version lifecycle tests. (@othiym23)
d338668
#8796[email protected]
: When packing the package tarball, npm no longer crashes for packages with certain combinations of.npmignore
entries,.gitignore
entries, and lifecycle scripts. (@iarna)dbe7c9c
[email protected]
: Add matching based on query strings. (@othiym23)
There are new versions of strip-ansi
and ansi-regex
, but npm only uses them
indirectly, so we pushed them down into their dependencies where they can get
updated at their own pace.
This has been a brief week of bug fixes, plus some fun stuff merged forward from this weeks 2.x release. See the 2.13.0 release notes for details on that.
You all have been AWESOME with all the npm@3 bug reports! Thank you and keep up the great work!
Remember how last week we said npm@3
would go to 3.0-next
and latest
tags? Yeaaah, no, please use [email protected]
and [email protected]
going forward.
I dunno why we said "suuure, we'll never do a feature release till we're out
of beta" when we're still forward porting [email protected]
features. ¯\_(ツ)_/¯
If you do accidentally use the old tag names, I'll be maintaining them for a few releases, but they won't be around forever.
THIS IS BETA SOFTWARE. npm@3
will remain in beta until we're
confident that it's stable and have assessed the effect of the breaking
changes on the community. During that time we will still be doing npm@2
releases, with npm@2
tagged as latest
and next
. We'll also be
publishing new releases of npm@3
as [email protected]
and [email protected]
alongside those versions until we're ready to switch everyone over to
npm@3
. We need your help to find and fix its remaining bugs. It's a
significant rewrite, so we are sure there still significant bugs
remaining. So do us a solid and deploy it in non-critical CI environments
and for day-to-day use, but maybe don't use it for production maintenance
or frontline continuous deployment just yet.
0030ade
#8685 Windows would hang when trying to clone git repos (@euprogramador)b259bcc
#8786 Windows permissions checks would cause installations to fail under some circumstances. We're disabling the checks entirely for this release. I'm hoping to check back with this next week to get a Windows friendly fix in. (@iarna)
0848698
#8686 Stop leaving progress bar cruft on the screen during publication (@ajcrites)57c3cea
#8695 Remote packages with shrinkwraps made npm cause node + iojs to explode and catch fire. NO MORE. (@iarna)2875ba3
#8723 I uh, told you that engineStrict checking had gone away last week. TURNS OUT I LIED. So this is making that actually be true. (@iarna)28064e5
#3358 Consistently allow Unicode BOMs at the start of package.json files. Previously this was allowed some of time, like when you were installing modules, but not others, like running npm version or installing w/--save
. (@iarna)3cb6ad2
#8736 npm@3 wasn't running the "install" lifecycle in your current (toplevel) module. This broke modules that relied on C compilation. BOO. (@iarna)68da583
#8766 To my great shame,npm link package
wasn't working AT ALL if you didn't havepackage
already installed. (@iarna)edd7448
[email protected]: This update makes read-package-tree not explode when there's bad data in your node_modules folder. npm@2 silently ignores this sort of thing. (@iarna)0bb08c8
#8778 RELATEDLY, we now show any errors from your node_modules folder after your installation completes as warnings. We're also reporting these innpm ls
now. (@iarna)6c248ff
#8779 Hey, you know how we used to complain if yourpackage.json
was missing stuff? Well guess what, we are again. I know, I know, you can thank me later. (@iarna)d6f7c98
So, when we were rolling back after errors we had untested code that tried to undo moves. Being untested it turns out it was very broken. I've removed it until we have time to do this right. (@iarna)
Just the one. Others came in via the 2.x release. Do check out its changelog, immediately following this message.
Well, not everything. Just a couple of goodies, like the new npm ping
command, and the ability to add files to the commits created by npm version
with the new version hooks. There's also a couple of bugfixes in npm
itself
and some of its dependencies. Here we go!
Yes, that's right! We now have a dedicated npm ping
command. It's super simple
and super easy. You ping. We tell you whether you pinged right by saying hello
right back. This should help out folks dealing with things like proxy issues or
other registry-access debugging issues. Give it a shot!
This addresses #5750, and will help
with the npm doctor
stuff described in
#6756.
f1f7a85
Add ping command to CLI (@michaelnisi)8cec629
Add ping command to npm-registry-client (@michaelnisi)0c0c92d
Fixed ping command issues (added docs, tests, fixed minor bugs, etc) (@zkat)
Seriously! This patch lets you add files to the version
commit before it's
made, So you can add additional metadata files, more automated changes to
package.json
, or even generate CHANGELOG.md
automatically pre-commit if
you're into that sort of thing. I'm so happy this is there I can't even. Do you
have other fun usecases for this? Tell
npmbot (@npmjs) about it!
582f170
#8620 version: Allow scripts to add files to the commit. (@jamestalmage)
We've had problems in the past with things like EMFILE
errors popping up when
trying to install packages with a bunch of dependencies. Isaac patched up
graceful-fs
to handle this case
better, so we should be seeing fewer of those.
022691a
[email protected]
: Updated so we can monkey patch globally. (@isaacs)c9fb0fd
Globally monkey-patch graceful-fs. This should fix some errors when installing packages with lots of dependencies. (@isaacs)
5587d0d
Nice clarification fordirectories.bin
(@ujane)20673c7
Hey, Windows folks! Check outnvm-windows
(@ArtskydJ)
5afa2d5
[email protected]
: Documented package name rules in README (@zeusdeux)021f4d9
[email protected]
: #74 Use async function for bin (to better handle Window'sEBUSY
) (@isaacs)5223432
[email protected]
: Useos.homedir()
polyfill for more reliable output. io.js added the function and the polyfill does a better job than the prior solution. (@sindresorhus)8ebbc90
[email protected]
: Make sure different git references get different cache folders. This should preventfoo/bar#v1.0
andfoo/bar#master
from sharing the same cache folder. (@tomekwi)367b854
[email protected]
: Minor test/typo changes (@isaacs)9fcae61
[email protected]
: Tiny doc change + stop firing 'match' events for ignored items. (@isaacs)
7827249
PeerDependencies
errors now include the package version. (@NickHeiner)
I keep hearing some commotion. Is there something going on? Like, a party or something? Anyway, here's a small release with at least two significant bug fixes, at least one of which some of you have been waiting for for quite a while.
[email protected]
has a change that introduces a fix for a permissions problem
whereby the _locks
directory in the cache directory can up being owned by
root. The fix in 2.12.0 takes care of that problem, but introduces a new
problem for Windows users where npm tries to call process.getuid()
, which
doesn't exist on Windows. It was easy enough to fix (but more or less
impossible to test, thanks to all the external dependencies involved with
permissions and platforms and whatnot), but as a result, Windows users might
want to skip [email protected]
and go straight to [email protected]
. Sorry about that!
7e5da23
When using the new, "fixed" cache directory creator, be extra-careful to not callprocess.getuid()
on platforms that lack it. (@othiym23)
New npm CLI team hero @zkat has finally (FINALLY)
fixed the regression somebody (hi!) introduced a couple months ago whereby git
URLs of the format git+ssh://[email protected]:org/repo.git
suddenly stopped
working, and also started being saved (and cached) incorrectly. I am 100% sure
there are absolutely no more bugs in the git caching code at all ever. Mm hm.
Yep. Pretty sure. Maybe. Hmm... I hope.
Sighs audibly.
Let us know if we broke something else with this fix.
94ca4a7
#8031 Even thoughgit+ssh://[email protected]:org/repo.git
isn't a URL, treat it like one for the purposes of npm. (@zkat)e7f56e5
#8031[email protected]
: Handle git URLs (and URL-like remote refs) in a manner consistent with npm's docs. (@zkat)
679bf47
#40[email protected]
: Handle prerelease versions in top-level dependencies not inpackage.json
without marking those packages as invalid. (@benjamn)3a67410
[email protected]
(@isaacs)151904a
[email protected]
(@isaacs)
Wow, it's finally here! This has been a long time coming. We are all delighted and proud to be getting this out into the world, and are looking forward to working with the npm user community to get it production-ready as quickly as possible.
npm@3
constitutes a nearly complete rewrite of npm's installer to be
easier to maintain, and to bring a bunch of valuable new features and
design improvements to you all.
@othiym23 and @isaacs have been talking about the changes in this release for well over a year, and it's been the primary focus of @iarna since she joined the team.
Given that this is a near-total rewrite, all changes listed here are @iarna's work unless otherwise specified.
THIS IS BETA SOFTWARE. npm@3
will remain in beta until we're
confident that it's stable and have assessed the effect of the breaking
changes on the community. During that time we will still be doing npm@2
releases, with npm@2
tagged as latest
and next
. We'll also be
publishing new releases of npm@3
as [email protected]
and [email protected]
alongside those versions until we're ready to switch everyone over to
npm@3
. We need your help to find and fix its remaining bugs. It's a
significant rewrite, so we are sure there still significant bugs
remaining. So do us a solid and deploy it in non-critical CI environments
and for day-to-day use, but maybe don't use it for production maintenance
or frontline continuous deployment just yet.
grunt
, gulp
, and broccoli
plugin maintainers take note! You will be
affected by this change!
- #6930
(#6565)
peerDependencies
no longer cause anything to be implicitly installed. Instead, npm will now warn if a packagespeerDependencies
are missing, but it's up to the consumer of the module (i.e. you) to ensure the peers get installed / are included inpackage.json
as directdependencies
ordevDependencies
of your package. - #3803
npm also no longer checks
peerDependencies
until after it has fully resolved the tree.
This shifts the responsibility for fulfilling peer dependencies from library
/ framework / plugin maintainers to application authors, and is intended to
get users out of the dependency hell caused by conflicting peerDependency
constraints. npm's job is to keep you out of dependency hell, not put you
in it.
- #6931 The rarely-used
package.json
optionengineStrict
has been deprecated for several months, producing warnings when it was used. Starting withnpm@3
, the value of the field is ignored, and engine violations will only produce warnings. If you, as a user, want strictengines
field enforcement, just runnpm config set engine-strict true
.
As with the peer dependencies change, this is about shifting control from
module authors to application authors. It turns out engineStrict
was very
difficult to understand even harder to use correctly, and more often than
not just made modules using it difficult to deploy.
77f1aec
Withnpm view
(akanpm info
), always return arrays for versions, maintainers, etc. Previously npm would return a plain value if there was only one, and multiple values if there were more. (@KenanY)
Again, this is a BETA RELEASE, so not everything is working just yet. Here are the issues that we already know about. If you run into something that isn't on this list, let us know!
- #8575 Circular deps will never be removed by the prune-on-uninstall code.
- #8588 Local deps where the dep name and the name in the package.json differ don't result in an error.
- #8637 Modules can install themselves as direct dependencies. npm@2 declined to do this.
- #8660 Dependencies of failed optional dependencies aren't rolled back when the optional dependency is, and then are reported as extraneous thereafter.
-
#5919 Previously the installer had a set of steps it executed for each package and it would immediately start executing them as soon as it decided to act on a package.
But now it executes each of those steps at the same time for all packages, waiting for all of one stage to complete before moving on. This eliminates many race conditions and makes the code easier to reason about.
This fixes, for instance:
- #6926
(#5001,
#6170)
install
andpostinstall
lifecycle scripts now only executeafter
all the module with the script's dependencies are installed.
You'll now get a tree much like the one produced by npm ls
that
highlights in orange the packages that were installed. Similarly, any
removed packages will have their names prefixed by a -
.
Also, npm outdated
used to include the name of the module in the
Location
field:
Package Current Wanted Latest Location
deep-equal MISSING 1.0.0 1.0.0 deep-equal
glob 4.5.3 4.5.3 5.0.10 rimraf > glob
Now it shows the module that required it as the final point in the
Location
field:
Package Current Wanted Latest Location
deep-equal MISSING 1.0.0 1.0.0 npm
glob 4.5.3 4.5.3 5.0.10 npm > rimraf
Previously the Location
field was telling you where the module was on
disk. Now it tells you what requires the module. When more than one thing
requires the module you'll see it listed once for each thing requiring it.
- #6928
(#2931
#2950)
npm install
when you have annpm-shrinkwrap.json
will ensure you have the modules specified in it are installed in exactly the shape specified no matter what you had when you started. - #6913
(#1341
#3124
#4956
#6349
#5465)
npm install
when some of your dependencies are missing sub-dependencies will result in those sub-dependencies being installed. That is,npm install
now knows how to fix broken installs, most of the time. - #5465
If you directly
npm install
a module that's already a subdep of something else and your new version is incompatible, it will now install the previous version nested in the things that need it. a2b50cf
#5693 When installing a new module, if it's mentioned in yournpm-shrinkwrap.json
or yourpackage.json
use the version specifier from there if you didn't specify one yourself.
Your dependencies will now be installed maximally flat. Insofar as is
possible, all of your dependencies, and their dependencies, and THEIR
dependencies will be installed in your project's node_modules
folder with no
nesting. You'll only see modules nested underneath one another when two (or
more) modules have conflicting dependencies.
- #3697 This will hopefully eliminate most cases where windows users ended up with paths that were too long for Explorer and other standard tools to deal with.
- #6912 (#4761 #4037) This also means that your installs will be deduped from the start.
- #5827 This deduping even extends to git deps.
- #6936 (#5698) Various commands are dedupe aware now.
This has some implications for the behavior of other commands:
npm uninstall
removes any dependencies of the module that you specified that aren't required by any other module. Previously, it would only remove those that happened to be installed under it, resulting in left over cruft if you'd ever deduped.npm ls
now shows you your dependency tree organized around what requires what, rather than where those modules are on disk.- #6937
npm dedupe
now flattens the tree in addition to deduping.
And bundling of dependencies when packing or publishing changes too:
- #2442 bundledDependencies no longer requires that you specify deduped sub deps. npm can now see that a dependency is required by something bundled and automatically include it. To put that another way, bundledDependencies should ONLY include things that you included in dependencies, optionalDependencies or devDependencies.
- #5437
When bundling a dependency that's both a
devDependency
and the child of a regulardependency
, npm bundles the child dependency.
As a demonstration of our confidence in our own work, npm's own
dependencies are now flattened, deduped, and bundled in the npm@3
style.
This means that npm@3
can't be packed or published by npm@2
, which is
something to be aware of if you're hacking on npm.
First of all, they should be idempotent now
(#5779). No more differences
because the first time you install (without npm-shrinkwrap.json
) and the
second time (with npm-shrinkwrap.json
).
- #6781
Second, if you save your changes to
package.json
and you havenpm-shrinkwrap.json
, then it will be updated as well. This applies to all of the commands that update your tree:npm install --save
npm update --save
npm dedupe --save
(#6410)npm uninstall --save
- #4944
(#5161
#5448)
Third, because
node_modules
folders are now deduped and flat, shrinkwrap has to also be smart enough to handle this.
And finally, enjoy this shrinkwrap bug fix:
- #3675
When shrinkwrapping a dependency that's both a
devDependency
and the child of a regulardependency
, npm now correctly includes the child.
- #6911 (#1257 #5340 #6420) The spinner is gone (yay? boo? will you miss it?), and in its place npm has progress bars, so you actually have some sense of how long installs will take. It's provided in Unicode and non-Unicode variants, and Unicode support is automatically detected from your environment.
The bottom is where we usually hide the less interesting bits of each release, but each of these are small but incredibly useful bits of this release, and very much worth checking out:
9ebe312
Build system maintainers, rejoice: npm does a better job of cleaning up after itself in your temporary folder.- #6942 Check for permissions issues prior to actually trying to install anything.
- Emit warnings at the end of the installation when possible, so that they'll be on your screen when npm stops.
- #3505
npm --dry-run
: You can now ask that npm only report what it would have done with the new--dry-run
flag. This can be passed to any of the commands that change yournode_modules
folder:install
,uninstall
,update
anddedupe
. 81b46fb
npm now knows the correct URLs fornpm bugs
andnpm repo
for repositories hosted on Bitbucket and GitLab, just like it does for GitHub (and GitHub support now extends to projects hosted as gists as well as traditional repositories).5be4008a
npm has been cleaned up to pass thestandard
style checker. Forrest and Rebecca both feel this makes it easier to read and understand the code, and should also make it easier for new contributors to put merge-ready patches. (@othiym23)
6401643
Make sure the global install directory exists before installing to it. (@thefourtheye)- #6158 When we remove modules we do so inside-out running unbuild for each one.
960a765
The short usage information for each subcommand has been brought in sync with the documentation. (@smikes)
About a million people have filed issues related to having a tough time using npm after they've run npm once or twice with sudo. "Don't worry about it!" I said. "We've fixed all those permissions problems ages ago! Use this one weird trick and you'll never have to deal with this again!"
Well, uh, if you run npm with root the first time you run npm on a machine, it
turns out that the directory npm uses to store lockfiles ends up being owned by
the wrong user (almost always root), and that can, well, it can cause problems
sometimes. By which I mean every time you run npm without being root it'll barf
with EACCES
errors. Whoops!
This is an obnoxious regression, and to prevent it from recurring, we've made
it so that the cache, cached git remotes, and the lockfile directories are all
created and maintained using the same utilty module, which not only creates the
relevant paths with the correct permissions, but will fix the permissions on
those directories (if it can) when it notices that they're broken. An npm install
run as root ought to be sufficient to fix things up (and if that
doesn't work, first tell us about it, and then run sudo chown -R $(whoami) $HOME/.npm
)
Also, I apologize for inadvertently gaslighting any of you by claiming this bug wasn't actually a bug. I do think we've got this permanently dealt with now, but I'll be paying extra-close attention to permissions issues related to the cache for a while.
That's not literally true. We spent very little time discussing SPDX, @kemitchell is a champ, and I had a lot of fun playing drum & bass to a mostly empty Boogie Barn and only ended up with one moderately severe cold for my pains. Another winner of a NodeConf! (I would probably wear a SPDX T-shirt if somebody gave me one, though.)
A bunch of us did have a spirited discussion of the basics of open-source
intellectual property, and the convergence of me,
@kemitchell, and
@jandrieu in one place allowed us to hammmer out
a small but significant issue that had been bedeviling early adopters of the
new SPDX expression syntax in package.json
license fields: how to deal with
packages that are left without a license on purpose.
Refer to the docs
for the specifics, but the short version is that instead of using
LicenseRef-LICENSE
for proprietary licenses, you can now use either
UNLICENSED
if you want to make it clear that you don't want your software
to be licensed (and want npm to stop warning you about this), or SEE LICENSE IN <filename>
if there's a license with custom text you want to use. At some
point in the near term, we'll be updating npm to verify that the mentioned
file actually exists, but for now you're all on the honor system.
4827fc7
#8557[email protected]
: AllowUNLICENSED
andSEE LICENSE IN <filename>
in "license" field ofpackage.json
. (@kemitchell)16a3dd5
#8557 Document the new accepted values for the "license" field. (@kemitchell)8155311
#8557[email protected]
: Support new "license" field values at init time. (@kemitchell)
9d8cac9
#8548 Remove extraneous newline fromnpm view
output, making it easier to use in shell scripts. (@eush77)765fd4b
#8521 When checking for outdated packages, or updating packages, raise an error when the registry is unreachable instead of silently "succeeding". (@ryantemple)
5018335
#8365 Add details about which git environment variables are whitelisted by npm. (@nmalaguti)bed9edd
#8554 Fix typo in version docs. (@rainyday)
7ce2f06
[email protected]
: Refactor tunneling logic, and useextend
instead of abusingutil._extend
. (@simov)e6c6195
[email protected]
: Refined interception behavior. (@pgte)9583cc3
[email protected]
: Ensure thatmain
entry inpackage.json
is always included in the bundled package tarball. (@coderhaoxin)df89493
[email protected]
(@isaacs)9744049
[email protected]
:dezalgo
should be usable in the browser, and can be now thatasap
has been upgraded to be browserifiable. (@mvayngrib)
This was a very quiet week. This release was done by @iarna, while the rest of the team hangs out at NodeConf Adventure!
9f439da
[email protected]
: License range updates (@kemitchell)2dd055b
[email protected]
: Fixes a crashing bug when the package.jsonscripts
property is not an object. (@iarna)e02e85d
[email protected]
: Switches to using theos-tmpdir
module instead ofos.tmpdir()
for greate consistency in behavior between node versions. (@iarna)a6f0265
[email protected]
(@isaacs)7395977
[email protected]
(@isaacs)
Another small release this week, brought to you by the latest addition to the CLI team, @zkat (Hi, all!)
Mostly small documentation tweaks and version updates. Oh! And npm outdated
is actually sorted now. Rejoice!
It's gonna be a while before we get another palindromic version number. Enjoy it while it lasts. :3
31aada4
#8401npm outdated
output is just that much nicer to consume now, due to sorting by name. (@watilde)458a919
#8469 Explicitly setcwd
forpreversion
,version
, andpostversion
scripts. This makes the scripts findable relative to the root dir. (@alexkwolfe)55d6d71
Ensure package name and version are included in display duringnpm version
lifecycle execution. Gets rid of those littleundefined
s in the console. (@othiym23)
3901e49
#8462 English apparently requires correspondence between indefinite articles and attached nouns. (@Enet4)5a744e4
#8421 The effect ofnpm prune
's--production
flag and how to use it have been documented a bit better. (@foiseworth)eada625
We've updated our.mailmap
andAUTHORS
files to make sure credit is given where credit is due. (@othiym23)
c929fd1
[email protected]
: Manually dedupedv1.1.13
(streams3) to make deduping more reliable onnpm@<3
. (@othiym23)a9b4b78
[email protected]
: Replace dependency on IncomingMessage's.client
with.socket
as the former was deprecated in io.js 2.2.0. (@othiym23)4b5e557
[email protected]
: Better testing, with coverage. (@othiym23)561affe
[email protected]
: .npmignore added for less cruft, and better testing, with coverage. (@othiym23)60aef3c
[email protected]
: io.js fixes. (@zkat)f8bd453
[email protected]
: Added MIT license to package.json (@zkat)
This release brought to you from poolside at the Omni Amelia Island Resort and JSConf 2015, which is why it's so tiny.
cf109a6
#8381 Documented a subtle gotcha with.npmrc
, which is that it needs to have its permissions set such that only the owner can read or write the file. (@colakong)180da67
#8365 Git 2.3 adds support forGIT_SSH_COMMAND
, which allows you to pass an explicit git command (with, for example, a specific identity passed in on the command line). (@nmalaguti)
b72de41
[email protected]
: Use a newer version ofgyp
, and generally improve support for Visual Studios and Windows. (@TooTallNate)8edbe21
[email protected]
: Don't crash when Python's version doesn't parse as valid semver. (@TooTallNate)ba0e0a8
[email protected]
: Add coverage to tests. (@isaacs)7333701
[email protected]
: Bug fixes and dependency upgrades. (@simov)
For the first time in a very long time, we've added new events to the life
cycle used by npm run-script
. Since running npm version (major|minor|patch)
is typically the last thing many developers do before publishing their updated
packages, it makes sense to add life cycle hooks to run tests or otherwise
preflight the package before doing a full publish. Thanks, as always, to the
indefatigable @watilde for yet another great
usability improvement for npm!
b07f7c7
#7906 Add newscripts
to allow you to run scripts before and after thenpm version
command has run. This makes it easy to, for instance, require that your test suite passes before bumping the version by just adding"preversion": "npm test"
to the scripts section of yourpackage.json
. (@watilde)8a46136
#8185 When we get a "not found" error from the registry, we'll now check to see if the package name you specified is invalid and if so, give you a better error message. (@thefourtheye)
9bcf573
#8324 On Windows, when you've configured a customnode-gyp
, run it with node itself instead of using the default open action (which is almost never what you want). (@bangbang93)1da9b04
#7195 #7260[email protected]
: (Re-)allow publication of existing mixed-case packages (part 1). (@smikes)e926783
#7195 #7260[email protected]
: (Re-)allow publication of existing mixed-case packages (part 2). (@smikes)
f62ee05
#8314 Update the README to warn folks away from using the CLI's internal API. For the love of glob, just use a child process to run the CLI! (@claycarpenter)1093921
#8279 Update the documentation to note that, yes, you can publish scoped packages to the public registry now! (@mantoni)f87cde5
#8292 Fix typo in an example and grammar in the description in the shrinkwrap documentation. (@vshih)d3526ce
Improve the formatting in the shrinkwrap documentation. (@othiym23)19fe6d2
#8311 Update README.md to use syntax highlighting in its code samples and bits of shell scripts. (@SimenB)
fc52160
#4700 #5044[email protected]
: Make entering an invalid version while runningnpm init
give you an immediate error and prompt you to correct it. (@watilde)738853e
#7763[email protected]
: Fix a bug where errors would not propagate, making error messages unhelpful. (@iarna)6d74a2d
[email protected]
: Fix tests on windows (@Bacra) and with more recenthosted-git-info
. (@iarna)50f7178
[email protected]
: Correct spelling in its documentation. (@iarna)d7956ca
[email protected]
: Fix a bug where unusual error conditions could make further use of the module fail. (@isaacs)44f7d74
[email protected]
: Update to the most recent tap to get a whole host of bug fixes and integration with coveralls. (@isaacs)c21e8a8
[email protected]
(@othiym23)
- Add missing ISC license file to package (@kasicka):
- Switch license to BSD-2-Clause from plain "BSD" (@isaacs):
- Switch license to ISC from BSD (@isaacs):
- Switch license to ISC from MIT (@isaacs):
dc77520
When getting back a 404 from a request to a private registry that uses a registry path that extends past the root (http://registry.enterprise.co/path/to/registry
), display the name of the nonexistent package, rather than the first element in the registry API path. Sorry, Artifactory users! (@hayes)f70dea9
Make clearer that--registry
can be used on a per-publish basis to push a package to a non-default registry. (@mischkl)a3e26f5
Did you know that GitHub shortcuts can have commit-ishes included (org/repo#branch
)? They can! (@iarna)0e2c091
Some errors fromreadPackage
were being swallowed, potentially leading to invalid package trees on disk. (@smikes)
0b901ad
[email protected]
: Removed some cruft from the published package. (@isaacs)d713e0b
[email protected]
: Made compliant withstandard
, dropped support for Node 0.6, added (Travis) support for Node 0.12 and io.js. (@isaacs)a2d6578
[email protected]
: Updated to usetap@1
. (@isaacs)64cd1a5
fstream@ 1.0.6
: Made compliant withstandard
(done by @othiym23, and then debugged and fixed by @iarna), and license changed to ISC. (@othiym23 / @iarna)b527a7c
[email protected]
: Callers can pass in their ownPATH
instead of relying onprocess.env
. (@isaacs)
If you've done much development in The Enterprise®™, you know that keeping track of software licenses is far more important than one might expect / hope / fear. Tracking licenses is a hassle, and while many (if not most) of us have (reluctantly) gotten around to setting a license to use by default with all our new projects (even if it's just WTFPL), that's about as far as most of us think about it. In big enterprise shops, ensuring that projects don't inadvertently use software with unacceptably encumbered licenses is serious business, and developers spend a surprising (and appalling) amount of time ensuring that licensing is covered by writing automated checkers and other license auditing tools.
The Linux Foundation has been working on a machine-parseable syntax for license
expressions in the form of SPDX, an appropriately
enterprisey acronym. IP attorney and JavaScript culture hero Kyle
Mitchell has put a considerable amount of effort into
bringing SPDX to JavaScript and Node. He's written
spdx.js
, a JavaScript SPDX
expression parser, and has integrated it into npm in a few different ways.
For you as a user of npm, this means:
- npm now has proper support for dual licensing in
package.json
, due to SPDX's compound expression syntax. Runnpm help package.json
for details. - npm will warn you if the
package.json
for your project is either missing a"license"
field, or if the value of that field isn't a valid SPDX expression (pro tip:"BSD"
becomes"BSD-2-Clause"
in SPDX (unless you really want one of its variants);"MIT"
and"ISC"
are fine as-is; the full list is its own package). npm init
now demands that you use a valid SPDX expression when using it interactively (pro tip: I mostly usenpm init -y
, having previously runnpm config set init.license=MIT
/npm config set init.author.email=foo
/npm config set init.author.name=me
).- The documentation for
package.json
has been updated to tell you how to use the"license"
field properly with SPDX.
In general, this shouldn't be a big deal for anybody other than people trying to run their own automated license validators, but in the long run, if everybody switches to this format, many people's lives will be made much simpler. I think this is an important improvement for npm and am very thankful to Kyle for taking the lead on this. Also, even if you think all of this is completely stupid, just choose a license anyway. Future you will thank past you someday, unless you are djb, in which case you are djb, and more power to you.
8669f7d
#8179 Document how to use SPDX inlicense
stanzas inpackage.json
, including how to migrate from old busted license declaration arrays to fancy new compound-license clauses. (@kemitchell)98ad98c
#8197[email protected]
Ensure that packages bootstrapped withnpm init
use an SPDX-compliant license expression. (@kemitchell)2ad3905
#8197[email protected]
: Warn when a package is missing a license declaration, or using a license expression that isn't valid SPDX. (@kemitchell)127bb73
#8197[email protected]
: Switch fromBSD
toISC
for license, where the latter is valid SPDX. (@othiym23)e9a933a
#8197[email protected]
: Switch fromBSD
toISC
for license, where the latter is valid SPDX. (@othiym23)412401f
#8197[email protected]
: Switch fromBSD
toISC
for license, where the latter is valid SPDX. (@othiym23)
As a corollary to the previous changes, I've put some work into making npm install
spew out fewer pointless warnings about missing values in transitive
dependencies. From now on, npm will only warn you about missing READMEs,
license fields, and the like for top-level projects (including packages you
directly install into your application, but we may relax that eventually).
Practically nobody liked having those warnings displayed for child dependencies, for the simple reason that there was very little that anybody could do about those warnings, unless they happened to be the maintainers of those dependencies themselves. Since many, many projects don't have SPDX-compliant licenses, the number of warnings reached a level where they ran the risk of turning into a block of visual noise that developers (read: me, and probably you) would ignore forever.
So I fixed it. If you still want to see the messages about child dependencies,
they're still there, but have been pushed down a logging level to info
. You
can display them by running npm install -d
or npm install --loglevel=info
.
eb18245
Only warn on normalization errors for top-level dependencies. Transitive dependency validation warnings are logged atinfo
level. (@othiym23)
e40e809
[email protected]
: TAP: The Next Generation. Fix up many tests to they work properly with the new major version ofnode-tap
. Look at all the colors! (@isaacs)f9314e9
[email protected]
: Minor tweaks and bug fixes. (@pgte)45c2b1a
#8187npm ls
wasn't properly recognizing dependencies installed from GitHub repositories as git dependencies, and so wasn't displaying them as such. (@zornme)1ab57c3
In some cases,npm help
was using something that looked like a regular expression where a glob pattern should be used, and vice versa. (@isaacs)
The first item below is actually a pretty big deal, as it fixes (with a
one-word change and a much, much longer test case (thanks again,
@iarna)) a regression that's been around for months
now. If you're depending on multiple branches of a single git dependency in a
single project, you probably want to check out [email protected]
and verify that
things (again?) work correctly in your project.
178a6ad
#7202 When caching git dependencies, do so by the whole URL, including the branch name, so that if a single application depends on multiple branches from the same repository (in practice, multiple version tags), every install is of the correct version, instead of reusing whichever branch the caching process happened to check out first. (@iarna)63b79cc
#8084 Ensure that Bitbucket, GitHub, and Gitlab dependencies are installed the same way as non-hosted git dependencies, fixingnpm install --link
. (@laiso)
These changes may seem simple and small (except Lin's fix to the package name restrictions, which was more an egregious oversight on our part), but cleaner documentation makes npm significantly more pleasant to use. I really appreciate all the typo fixes, clarifications, and formatting tweaks people send us, and am delighted that we get so many of these pull requests. Thanks, everybody!
ca478dc
#8137 Somehow, we had failed to clearly document the full restrictions on package names. @linclark has now fixed that, although we will take with us to our graves the reasons why the maximum package name length is 214 characters (well, OK, it was that that was the longest name in the registry when we decided to put a cap on the name length). (@linclark)b574076
#8079 Make thenpm shrinkwrap
documentation use code formatting for examples consistently. It would be great to do this for more commands HINT HINT. (@RichardLitt)1ff636e
#8105 Document that the globalnpmrc
goes in$PREFIX/etc/npmrc
, instead of$PREFIX/npmrc
. (@anttti)c3f2f7c
#8127 Document how to usenpm run build
directly (hint: it's different fromnpm build
!). (@mikemaccana)873e467
#8069 Take the old, dead npm mailing list address out ofpackage.json
. It seems that people don't have much trouble figuring out how to report errors to npm. (@robertkowalski)
5abfc9c
#7973npm run-script
completion will only suggest run scripts, instead of including dependencies. If for some reason you still wanted it to suggest dependencies, let us know. (@mantoni)4b564f0
#8081 Useosenv
to parse the environment'sPATH
in a platform-neutral way. (@watilde)a4b6238
#8094 When we refactored the configuration code to split out checking for IPv4 local addresses, we inadvertently completely broke it by failing to return the values. In addition, just the call toos.getInterfaces()
could throw on systems where querying the network configuration requires elevated privileges (e.g. Amazon Lambda). Add the return, and trap errors so they don't cause npm to explode. Thanks to @mhart for bringing this to our attention! (@othiym23)
000cd8b
[email protected]
: More informative assertions on argument validation failure. (@isaacs)530a2e3
[email protected]
: Revert to old key access-time behavior, as it was correct all along. (@isaacs)d88958c
[email protected]
: Feature detection and test improvements. (@isaacs)3fa39e4
[email protected]
(@pgte)
This week was kind of a breather to concentrate on fixing up the tests on the
multi-stage
branch, and not mess with git issues for a little while.
Unfortunately, There are now enough severe git issues that we'll probably have
to spend another couple weeks tackling them. In the meantime, enjoy these two
small features. They're just enough to qualify for a semver-minor bump:
2799322
#7426 Include local modules innpm outdated
andnpm update
. (@ArnaudRinquin)2114862
#8014 The prefix used before the version on version tags is now configurable viatag-version-prefix
. Be careful with this one and read the docs before using it. (@kkragenbrink)
18ce0ec
#3032npm unpublish
will now use the registry set inpackage.json
, just likenpm publish
. This only applies, for now, when unpublishing the entire package, as unpublishing a single version requires the name be included on the command line and therefore doesn't read frompackage.json
. (@watilde)9ad2100
#8008 Once again, when considering what to install onnpm install
, includedevDependencies
. (@smikes)5466260
#8003 Clarify the documentation around scopes to make it easier to understand how they support private packages. (@smikes)
faf65a7
[email protected]
: If there are multiple validation errors and warnings, ensure they all get displayed (includes a rad new way of testinginit-package-json
contributed by @michaelnisi). (@MisumiRize)7f10f38
[email protected]
:1.0.0
is literally more than0.1.0
(no change aside from version number). (@substack)4979af3
#6805[email protected]
: Decode scoped package names sent by the registry so they look nicer. (@mmalecki)
This is the fourth release of npm this week, so it's mostly just landing a few
small outstanding PRs on dependencies and some tiny documentation tweaks.
[email protected]
is where the real action is.
ee2bd77
#7983[email protected]
: Better error reporting in corrupted tar files, and add support for thefromBase
flag (rescued from the dustbin of history by @deanmarano). (@othiym23)d8eee6c
[email protected]
: Add support for a default author, and only add scope to a package name once. (@othiym23)4fc5d98
[email protected]
: Small tweaks to cache value aging and entry counting that are irrelevant to npm. (@isaacs)1fe5840
#7946 Makenpm init
text friendlier. (@sandfox)
This is the last of a set of releases intended to ensure npm's git support is robust enough that we can stop working on it for a while. These fixes are small, but prevent a common crasher and clear up one of the more confusing error messages coming out of npm when working with repositories hosted on git.
387f889
#7961 Ensure that hosted git SSH URLs always have a valid protocol when stored inresolved
fields innpm-shrinkwrap.json
. (@othiym23)394c2f5
Switch the order in which hosted Git providers are checked togit:
,git+https:
, thengit+ssh:
(fromgit:
,git+ssh:
, thengit+https:
) in an effort to go from most to least likely to succeed, to make for less confusing error message. (@othiym23)
npm has been having an issue with CouchDB's web server since the release
of io.js and Node.js 0.12.0 that has consumed a huge amount of my time
to little visible effect. Sam Mikes picked up the thread from me, and
after a lot of effort
figured out that ultimately there are probably a couple problems with
the new HTTP Agent keep-alive handling in new versions of Node. In
addition, npm-registry-client
was gratuitously sending a body along
with a GET request which was triggering the bugs. Sam removed about 10 bytes from
one file in npm-registry-client
, and this problem, which has been bugging us for months,
completely went away.
In conclusion, Sam Mikes is great, and anybody using a private registry hosted on CouchDB should thank him for his hard work. Also, thanks to the community at large for pitching in on this bug, which has been around for months now.
431c3bf
#7699[email protected]
: Don't send body with HTTP GET requests when logging in. (@smikes)
A helpful bug report
led to another round of changes to
hosted-git-info
,
some additional test-writing, and a bunch of hands-on testing against actual
private repositories. While the complexity of npm's git dependency handling is
nearly fractal (because npm is very complex, and git is even more complex),
it's feeling way more solid than it has for a while. We think this is a
substantial improvement over what we had before, so give [email protected]
a shot if
you have particularly complex git use cases and
let us know how it goes.
(NOTE: These changes mostly affect cloning and saving references to packages hosted in git repositories, and don't address some known issues with things like lifecycle scripts not being run on npm dependencies. Work continues on other issues that affect parity between git and npm registry packages.)
66377c6
#7872[email protected]
: Pass through credentials embedded in SSH and HTTPs git URLs. (@othiym23)15efe12
#7872 Use the new version ofhosted-git-info
to pass along credentials embedded in git URLs. Test it. Test it a lot. (@othiym23)
Big thanks to @ewie for identifying an issue with
how npm was handling peerDependencies
that were implicitly installed from the
package.json
files of scoped dependencies. This
will be a moot point
with the release of npm@3
, but until then, it's important that
peerDependency
auto-installation work as expected.
b027319
#7920 Scoped packages withpeerDependencies
were installing thepeerDependencies
into the wrong directory. (@ewie)649e31a
#7920 TestpeerDependency
installs involving scoped packages usingnpm-package-arg
instead of simple path tests, for consistency. (@othiym23)
@iarna and I
(@othiym23) have been discussing a
candidate plan
for improving npm's test suite, with the goal of making it easier for new
contributors to get involved with npm by reducing the learning curve
necessary to be able to write good tests for proposed changes. This is the
first substantial piece of that effort. Here's what the commit message for
ed7e249
had to say about this work:
It's too difficult for npm contributors to figure out what the conventional style is for tests. Part of the problem is that the documentation in CONTRIBUTING.md is inadequate, but another important factor is that the tests themselves are written in a variety of styles. One of the most notable examples of this is the fact that many tests use fixture directories to store precooked test scenarios and package.json files.
This had some negative consequences:
- tests weren't idempotent
- subtle dependencies between tests existed
- new tests get written in this deprecated style because it's not obvious that the style is out of favor
- it's hard to figure out why a lot of those directories existed, because they served a variety of purposes, so it was difficult to tell when it was safe to remove them
All in all, the fixture directories were a major source of technical debt, and cleaning them up, while time-consuming, makes the whole test suite much more approachable, and makes it more likely that new tests written by outside contributors will follow a conventional style. To support that, all of the tests touched by this changed were cleaned up to pass the
standard
style checker.
And here's a little extra context from a comment I left on #7929:
One of the other things that encouraged me was looking at this presentation on technical debt from Pycon 2015, especially slide 53, which I interpreted in terms of difficulty getting new contributors to submit patches to an OSS project like npm. npm has a long ways to go, but I feel good about this change.
ed7e249
#7929 Eliminate fixture directories fromtest/tap
, leaving each test self-contained. (@othiym23)4928d30
#7929 Move fixture files fromtest/tap/*
totest/fixtures
. (@othiym23)e925deb
#7929 Tweak the run scripts to stop slaughtering the CPU on doc rebuild. (@othiym23)65bf7cf
#7923 Use an alias of scripts and run-scripts innpm run test-all
(@watilde)756a3fb
#7923 Sync timeout time ofnpm run-script test-all
to be the same astest
andtap
scripts. (@watilde)8299b5f
Set a timeout for tap tests fornpm run-script test-all
. (@othiym23)
d90d0b9
#7924 Removechild-process-close
, as it was included for Node 0.6 compatibility, and npm no longer supports 0.6. (@robertkowalski)16427c1
[email protected]
: More accurate updating of expiry times whenmaxAge
is set. (@isaacs)03cce83
[email protected]
: Mocked network error handling. (@pgte)f93b1f0
[email protected]
: Usepath-is-absolute
polyfill, allowing newer Node.js and io.js versions to usepath.isAbsolute()
. (@sindresorhus)a70d694
[email protected]
: Bug fixes and simplification. (@simov)2aecc6f
[email protected]
: Switch to using babel from 6to5. (@timoxley)
If you look at the last release's release
notes,
you will note that they confidently assert that it's perfectly OK to force all
GitHub URLs through the same git:
-> git+ssh:
fallback flow for cloning. It
turns out that many users depend on git+https:
URLs in their build
environments because they use GitHub auth tokens instead of SSH keys. Also, in
some cases you just want to be able to explicitly say how a given dependency
should be cloned from GitHub.
Because of the way we resolved the inconsistency in GitHub shorthand handling
before, this
turned out to be difficult to work around. So instead of hacking around it, we
completely redid how git is handled within npm and its attendant packages.
Again. This time, we changed things so that normalize-package-data
and
read-package-json
leave more of the git logic to npm itself, which makes
handling shorthand syntax consistently much easier, and also allows users to
resume using explicit, fully-qualified git URLs without npm messing with them.
Here's a summary of what's changed:
- Instead of converting the GitHub shorthand syntax to a
git+ssh:
,git:
, orgit+https:
URL and saving that, save the shorthand itself topackage.json
. - If presented with shortcuts, try cloning via the git protocol, SSH, and HTTPS (in that order).
- No longer prompt for credentials -- it didn't work right with the spinner,
and wasn't guaranteed to work anyway. We may experiment with doing this a
better way in the future. Users can override this by setting
GIT_ASKPASS
in their environment if they want to experiment with interactive cloning, but should also set--no-spin
on the npm command line (or runnpm config set spin=false
). - EXPERIMENTAL FEATURE: Add support for
github:
,gist:
,bitbucket:
, andgitlab:
shorthand prefixes. GitHub shortcuts will continue to be normalized toorg/repo
instead of being saved asgithub:org/repo
, butgitlab:
,gist:
, andbitbucket:
prefixes will be used on the command line and frompackage.json
. BE CAREFUL WITH THIS.package.json
files published with the new shorthand syntax can only be read by[email protected]
and later, and this feature is mostly meant for playing around with it. If you want to save git dependencies in a form that older versions of npm can read, use--save-exact
, which will save the git URL and resolved commit hash of the head of the branch in a manner similar to the way that--save-exact
pins versions for registry dependencies. This is documented (so checknpm help install
for details), but we're not going to make a lot of noise about it until it has a chance to bake in a little more.
It is @othiym23's sincere hope that this will resolve all of the inconsistencies users were seeing with GitHub and git-hosted packages, but given the level of change here, that may just be a fond wish. Extra testing of this change is requested.
6b0f588
#7867 Use git shorthand and git URLs as presented by user. Support newhosted-git-info
shortcut syntax. Save shorthand inpackage.json
. Try cloning viagit:
,git+ssh:
, andgit+https:
, in that order, when supported by the underlying hosting provider. (@othiym23)75d4267
#7867 Document new GitHub, GitHub gist, Bitbucket, and GitLab shorthand syntax. (@othiym23)7d92c75
#7867 When--save-exact
is used with git shorthand or URLs, save the fully-resolved URL, with branch name resolved to the exact hash for the commit checked out. (@othiym23)9220e59
#7867 Ensure that non-prefixed and non-normalized GitHub shortcuts are saved topackage.json
. (@othiym23)dd398e9
#7867[email protected]
: Ensure thatgist:
shorthand survives being round-tripped throughpackage.json
. (@othiym23)33d1420
#7867[email protected]
: Add support for auth embedded directly in git URLs. (@othiym23)23a1d5a
#7867[email protected]
: Make it possible to determine in which form a hosted git URL was passed. (@iarna)eaf75ac
#7867[email protected]
: Normalize GitHub specifiers so they pass through shortcut syntax and preserve explicit URLs. (@iarna)95e0535
#7867[email protected]
: Add git URL and shortcut to hosted git spec and use[email protected]
. (@iarna)a808926
#7867[email protected]
: Use[email protected]
and test shortcut specifier behavior. (@iarna)6dd1e03
#7867[email protected]
: Allow dependency on[email protected]
. (@iarna)63254bb
#7867[email protected]
: Use[email protected]
. (@iarna)254b887
#7867[email protected]
: Use[email protected]
. (@iarna)0b9f8be
#7867[email protected]
: Mark compatibility with[email protected]
and[email protected]
. (@iarna)f40ecaa
#7867 Extract a common method to use when cloning git repos for testing. (@othiym23)
npm continues to get closer to being completely green on Travis for Node 0.8.
26d36e9
#7842 When spawning child processes, map exit code 127 to ENOENT so Node 0.8 handles child process failures the same as later versions. (@SonicHedgehog)54cd895
#7842 Node 0.8 requires -e with -p when evaluating snippets; fix test. (@SonicHedgehog)
20e9003
[email protected]
: Fix regression where relative symbolic links within an extraction root that pointed within an extraction root would get normalized to absolute symbolic links. (@isaacs)2ef8898
#7879 Better document thatnpm publish --tag=foo
will not setlatest
to that version. (@linclark)
Part of the reason that we're reluctant to take patches to how npm deals with
git dependencies is that every time we touch the git support, something breaks.
The last few releases are a case in point. [email protected]
completely broke
installing private modules from GitHub, and [email protected]
fixed them at the cost
of logging a misleading error message that caused many people to believe that
their dependencies hadn't been successfully installed when they actually had
been.
This all started from a desire to ensure that GitHub shortcut syntax is being
handled correctly. The correct behavior is for npm to try to clone all
dependencies on GitHub (whether they're specified with the GitHub
organization/repository
shortcut syntax or not) via the plain git:
protocol
first, and to fall back to using git+ssh:
if git:
doesn't work. Previously,
sometimes npm would use git:
and git+ssh:
in some cases (most notably when
using GitHub shortcut syntax on the command line), and use git+https:
in
others (when the GitHub shortcut syntax was present in package.json
). This
led to subtle and hard-to-understand inconsistencies, and we're glad that as of
[email protected]
, we've finally gotten things to where they were before we started,
only slightly more consistent overall.
We are now going to go back to our policy of being extremely reluctant to touch the code that handles Git dependencies.
b747593
#7630 Don't automatically log all git failures as errors.maybeGithub
needs to be able to fail without logging to support its fallback logic. (@othiym23)cd67a0d
#7829 When fetching a git remote URL, handle failures gracefully (without assuming standard output exists). (@othiym23)637c7d1
#7829 When fetching a git remote URL, handle failures gracefully (without assuming standard error exists). (@othiym23)
78005eb
#7743 Always quote arguments passed tonpm run-script
. This allows build systems and the like to safely escape glob patterns passed as arguments torun-scripts
with `npm run-script <script> -- `. This is a tricky change to test, and may be reverted or moved to `npm@3` if it turns out it breaks things for users. ([@mantoni](https://github.com/mantoni))da015ee
#7074[email protected]
:read-package-json
no longer cachespackage.json
files, which trades a very small performance loss for the elimination of a large class of really annoying race conditions. See #7074 for the grisly details. (@othiym23)dd20f57
[email protected]
: Only add the@
to scoped package names if it's not already there when reading from the filesystem (@watilde), and support inline validation of package names (@michaelnisi).
1f380f6
#7820[email protected]
: Usereadable-stream
instead of built-instream
module to better support Node.js 0.8.x. (@SonicHedgehog)d380188
[email protected]
: Don't throw onsemver.parse(null)
, and parse numeric version strings more robustly. (@isaacs)01d9964
[email protected]
: This change may need to be rolled back, or rolled forward, because nock depends onsetImmediate
, which causes tests to fail when run with Node.js 0.8. (@othiym23)91f5cb1
#7791 Fix brackets in npmconf so thatloaded
is set correctly. (@charmander)1349e27
#7818 UpdateREADME.md
to point out that the install script now lives on https://www.npmjs.com. (@weisjohn)
300834e
[email protected]
: Normalize symbolic links that point to targets outside the extraction root. This prevents packages containing symbolic links from overwriting targets outside the expected paths for a package. Thanks to Tim Cuthbertson and the team at Lift Security for working with the npm team to identify this issue. (@othiym23)0dc6875
[email protected]
: Package versions can be no more than 256 characters long. This prevents a situation in which parsing the version number can use exponentially more time and memory to parse, leading to a potential denial of service. Thanks to Adam Baldwin at Lift Security for bringing this to our attention. (@isaacs)
5811468
#7713 Add a test fornpm link
andnpm link <package>
. (@watilde)3cf3b0c
#7713 Only use absolute symbolic links whennpm link
ing. (@hokaccha)f35aa93
#7443 Keep relative URLs when hitting search endpoint. (@othiym23)eab6184
#7766 One last tweak to ensure that GitHub shortcuts work with private repositories. (@iarna)5d7f704
#7656 Don't try to load a deleted CA file, allowing thecafile
config to be changed. (@KenanY)a840a13
#7746 Only fix up URL paths when there are paths to fix up. (@othiym23)
94df809
[email protected]
: Fixes for Node.js 0.12 and io.js. (@simov)98a13ea
[email protected]
: Deal withstart
on Windows more conventionally. (@domenic)c2417c7
[email protected]
: Add installGlobally to bypass cleanups. (@iarna)
f87c728
#7696 Months and minutes were swapped in doc-build.sh (@MeddahJ)4e216b2
#7752 Update string examples to be properly quoted. (@snuggs)402f52a
#7635 Clarify Windows installation instructions. (@msikma)c910399
small typo fix toCHANGELOG.md
(@e-jigsaw)
fe1bc38
#7672[email protected]
: Fix client-side certificate handling by correcting property name. (@atamon)3ce3cc2
#7635[email protected]
: Raise a more descriptive error whenbundledDependencies
isn't an array. (@KenanY)3a12723
#7661 Allow setting--registry
on the command line to trump the mapped registry for--scope
. (@othiym23)89ce829
#7630[email protected]
: Part 3 of ensuring that GitHub shorthand is handled consistently. (@othiym23)63313eb
#7630[email protected]
: Part 2 of ensuring that GitHub shorthand is handled consistently. (@othiym23)3ed41bf
#7630[email protected]
: Part 1 of ensuring that GitHub shorthand is handled consistently. (@othiym23)
6a498c6
[email protected]
: Ensure that npm continues to work with new registry architecture. (@bcoe)bd72c47
[email protected]
: Updated to latest version. (@isaacs)4bfbaa2
[email protected]
: Getting up to date with latest version (but not using any of the new features). (@othiym23)
3703b0b
Add regression test fornpm version
to ensuremessage
property in config continues to be honored. (@dannyfritz)
1549106
#7641 Due to 448efd0, runningnpm shrinkwrap --dev
caused production dependencies to no longer be included innpm-shrinkwrap.json
. Whoopsie! (@othiym23)
fb0ac26
#7579 Only block removing files and links when we're sure npm isn't responsible for them. This change is hard to summarize, because if things are working correctly you should never see it, but if you want more context, just go read the commit message, which lays it all out. (@othiym23)051c473
#7552bundledDependencies
are now properly included in the installation context. This is another fantastically hard-to-summarize bug, and once again, I encourage you to read the commit message if you're curious about the details. The snappy takeaway is that this unbreaks many use cases forember-cli
. (@othiym23)
fcd9247
#7597 Awk varies pretty dramatically from platform to platform, so use Perl to generate the AUTHORS list instead. (@KenanY)721b17a
#7598npm install --save
really isn't experimental anymore. (@RichardLitt)
a91f2c7
#7559[email protected]
Switchnode-gyp
to usestdio
instead ofcustomFds
so it stops printing a deprecation warning every time you build a native dependency. (@jeffbski)0c85db7
[email protected]
: Globbing now deals with paths containing valid glob metacharacters better. (@isaacs)d14588e
[email protected]
: Bug fixes. (@isaacs)aa9952e
[email protected]
: Bug fixes. (@isaacs)
6823807
#7121npm install --save
for Git dependencies saves the URL passed in, instead of the temporary directory used to clone the remote repo. Fixes using Git dependencies when shrinkwrapping. In the process, rewrote the Git dependency caching code. Again. No more single-letter variable names, and a much clearer workflow. (@othiym23)c8258f3
#7486 When installing Git remotes, the caching code was passing in the functiongitEnv
instead of the results of invoking it. (@functino)c618eed
#2556 Make it possible to install Git dependencies when using--link
by not linking just the Git dependencies. (@smikes)
abdd040
[email protected]
: Provide more helpful error messages when JSON parse errors are encountered by using a more forgiving JSON parser than JSON.parse. (@smikes)
c56cfcd
#7525npm dedupe
handles scoped packages. (@KidkArolis)1b8ba74
#7531npm stars
andnpm whoami
will no longer send the registry the error text saying you need to log in as your username. (@othiym23)6de1e91
#6441 Prevent needless reinstalls by only updating packages when the current version isn't the same as the version returned aswanted
bynpm outdated
. (@othiym23)2abc3ee
Addnpm upgrade
as an alias fornpm update
. (@othiym23)bcd4722
#7508 FreeBSD usesEAI_FAIL
instead ofENOTFOUND
. (@othiym23)21c1ac4
#7507 Update support URL in generic error handler tohttps:
fromhttp:
. (@watilde)b6bd99a
#7492 On install, thepackage.json
engineStrict
deprecation only warns for the current package. (@othiym23)4ef1412
#7075 If you try to tag a release as a valid semver range,npm publish
andnpm tag
will error early instead of proceeding. (@smikes)ad53d0f
Userimraf
in npm build script because Windows doesn't know what rm is. (@othiym23)8885c4d
[email protected]
: Better Windows support. (@isaacs)8885c4d
[email protected]
: Handle bad symlinks properly. (@isaacs)
###E TYPSO & CLARFIICATIONS
dId yuo know that submiting fxies for doc tpyos is an exclelent way to get strated contriburting to a new open-saurce porject?
42c605c
Fix typo inCHANGELOG.md
(@adrianblynch)c9bd58d
Add note aboutnode_modules/.bin
being added to the path innpm run-script
. (@quarterto)903bdd1
Matt Ranney confused the world when he renamednode-redis
toredis
. "The world" includes npm's documentation. (@RichardLitt)dea9bb2
Fix typo in contributor link. (@watilde)1226ca9
Properly close code block in npm-install.md. (@olizilla)
For a very long time (maybe forever?), the documentation for npm run-script
has said that npm restart
will only call npm stop
and npm start
when
there is no command defined as npm restart
in package.json
. The problem
with this documentation is that npm run-script
was apparently never wired up
to actually work this way.
Until now.
If the patch below were landed on its own, free of context, it would be a
breaking change. But, since the "new" behavior is how the documentation claims
this feature has always worked, I'm classifying it as a patch-level bug fix. I
apologize in advance if this breaks anybody's deployment scripts, and if it
turns out to be a significant regression in practice, we can revert this change
and move it to npm@3
, which is allowed to make breaking changes due to being
a new major version of semver.
2f6a1df
#1999 Only runstop
andstart
scripts (plus their pre- and post- scripts) when there's norestart
script defined. This makes it easier to support graceful restarts of services managed by npm. (@watilde / @scien)
145af65
#4887 Replace calls to thenode-gyp
script bundled with npm by passing the--node-gyp=/path/to/node-gyp
option to npm. Swap inpangyp
or a version ofnode-gyp
modified to work better with io.js without having to touch npm's code! (@ackalker)
@WATILDE'S NPM USABILITY CORNER
Following [email protected]
's unexpected fix of many of the issues with npm update -g
simply by making --depth=0
the default for npm outdated
, friend of npm
@watilde has made several modest changes to npm's
behavior that together justify bumping npm's minor version, as well as making
npm significantly more pleasant to use:
448efd0
#2853 Add support for--dev
and--prod
tonpm ls
, so that you can list only the trees of production or development dependencies, as desired. (@watilde)a0a8777
#7463 Split the list printed bynpm run-script
into lifecycle scripts and scripts directly invoked vianpm run-script
. (@watilde)a5edc17
#6749[email protected]
: Support for passing scopes tonpm init
so packages are initialized as part of that scope / organization / team. (@watilde)
It turns out that quite a few pull requests had piled up on npm's issue tracker, and they included some nice small features and fixes:
f33e8b8
#7354 Add--if-present
flag to allow e.g. CI systems to call (semi-) standard build tasks defined inpackage.json
, but don't raise an error if no such script is defined. (@jussi-kalliokoski)7bf85cc
#4005 #6248 Globally unlink a package whennpm rm
/npm unlink
is called with no arguments. (@isaacs)a2e04bd
#7294 Ensure that when depending ongit+<proto>
URLs, npm doesn't keep tacking additionalgit+
prefixes onto the front. (@twhid)0f87f5e
#6422 When depending on GitHub private repositories, make sure we construct the Git URLS correctly. (@othiym23)50f461d
#4595 Support finding compressed manpages. It's still up to the system to figure out how to display them, though. (@pshevtsov)44da664
#7465 When calling git, log the full command, with all arguments, on error. (@thriqon)9748d5c
Add parent to error onETARGET
error. (@davglass)37038d7
#4663 Remove hackaround for Linux tests, as it's evidently no longer necessary. (@mmalecki)d7b7853
#2612 Add support for path completion onnpm install
, which narrows completion to only directories containingpackage.json
files. (@deestan)628fcdb
Remove all command completion calls to-/short
, because it's been removed from the primary registry for quite some time, and is generally a poor idea on any registry with more than a few hundred packages. (@othiym23)3f6061d
#6659 Instead of removing zsh completion global, make it a local instead. (@othiym23)
5bc70e6
#7417 Provide concrete examples of how the newnpm update
defaults work in practice, tied to actual test cases. Everyone interested in usingnpm update -g
now that it's been fixed should read these documents, as should anyone interested in writing documentation for npm. (@smikes)8ac6f21
#6543 Clarifynpm-scripts
warnings to de-emphasize dangers of usinginstall
scripts. (@zeke)ebe3b37
#6711 Note that git tagging of versions can be disabled via--no-git-tag-verson
. (@smikes)2ef5771
#6711 Documentgit-tag-version
configuration option. (@KenanY)95e59b2
Document thatNODE_ENV=production
behaves analogously to--production
onnpm install
. (@stefaneg)687117a
#7463 Document the new script grouping behavior in the man page fornpm run-script
. (@othiym23)536b2b6
Rescue one of the the disabled tests and make it work properly. (@smikes)
89fc6a4
[email protected]
: Test for being run as root, as well as the current user. (@isaacs)5d0612f
[email protected]
: Better error message to explain why calling sync glob with a callback results in an error. (@isaacs)64b07f6
[email protected]
: More accurate counts of pending & skipped tests. (@rmg)8fda451
[email protected]
: Make official the fact thatnode-semver
has moved from @isaacs's organization to @npm's. (@isaacs)
8b98f0e
#4471npm outdated
(and onlynpm outdated
) now defaults to--depth=0
. See the docs for--depth
for the mildly confusing details. (@smikes)aa79194
#6565 TweakpeerDependency
deprecation warning to include which peer dependency on which package is going to need to change. (@othiym23)5fa067f
#7171 TweakengineStrict
deprecation warning to include whichpackage.json
is using it. (@othiym23)0fe0caa
[email protected]
: Glob patterns can now ignore matches. (@isaacs)
38c4825
#5068 Add new logout command, and make it do something useful on both bearer-based and basic-based authed clients. (@othiym23)4bf0f5d
[email protected]
: Support newlogout
endpoint to invalidate token for sessions. (@othiym23)
c8e08e6
#6565 Warn thatpeerDependency
behavior is changing and add a note to the docs. (@othiym23)7c81a5f
#7171 Warn thatengineStrict
inpackage.json
will be going away in the next major version of npm (coming soon!) (@othiym23)
add5890
#4668[email protected]
: Warn when abin
symbolic link is a dangling reference. (@nicks)4b42071
[email protected]
: Add functions to extract parts of the version triple, fix a typo. (@isaacs)a9aff38
Use full path for man pages as the symbolic link source, instead of just the file name. (@bengl)6fd0fbd
#7233 Ensureglobalconfig
path exists before trying to edit it. (@ljharb)a0a2620
[email protected]
: Allow embedded, quoted equals signs in ini field names. (@isaacs)
Also typos and other documentation issues were addressed by @rutsky, @imurchie, @marcin-wosinek, @marr, @amZotti, and @karlhorky. Thank you, everyone!
This release doesn't look like much, but considerable effort went into ensuring that npm's tests will pass on io.js 1.1.0 and Node 0.11.16 / 0.12.0 on both OS X and Linux.
NOTE: there are no actual changes to npm's code in [email protected]
. Only test
code (and the upgrade of request
to the latest version) has changed.
0e8d473
#7281[email protected]
: Clean up API, setconnection: close
. (@robertkowalski)4707bba
Further update tests to work with[email protected]
. (@othiym23)41a0f89
Got rid of completely gratuitous global config manipulation in tests. (@othiym23)
a4c7af9
[email protected]
: Tweaks to tunneling proxy behavior. (@nylen)
fec4c96
Allow--no-proxy
to overrideHTTP_PROXY
setting in environment. (@othiym23)589acb9
Only setaccess
when publshing when it's explicitly set. (@othiym23)1027087
Add script andMakefile
stanza to update AUTHORS. (@KenanY)eeff04d
AddNPMOPTS
to top-level install inMakefile
to overrideuserconfig
. (@aredridel)0d17328
[email protected]
: Run chown only when necessary. (@silkentrance)9aa4622
[email protected]
: ES6ified! (@timoxley)51b2fd1
Update default version indocs/npm-config.md
. (@lucthev)
f9313a0
#7226 Ensure that all request settings are copied onto the agent. (@othiym23)e186f6e
Only setaccess
on publish when it differs from the norm. (@othiym23)f9313a0
Allow overriding request's environment-based proxy handling. (@othiym23)f9313a0
Properly handle retry failures on fetch. (@othiym23)
Let's accentuate the positive: the dist-tag
endpoints for npm dist-tag {add,rm,ls}
are now live on the public npm registry.
f70272b
[email protected]
: Properly escape JSON tag version strings and filter_etag
from CouchDB docs. (@othiym23)
NOTE: This week's registry-2 commands are leading the implementation on
registry.npmjs.org a little bit, so some of the following may not work for
another week or so. Also note that npm access
has documentation and
subcommands that are not yet finished, because they depend on incompletely
specified registry API endpoints. Things are coming together very quickly,
though, so expect the missing pieces to be filled in the coming weeks.
c963eb2
#7181 NEWnpm access public
andnpm access restricted
: Toggle visibility of scoped packages. (@othiym23)dc51810
#6243 / #6854 NEWnpm dist-tags
: Directly managedist-tags
on packages. Most notably,dist-tags
can now be deleted. (@othiym23)4c7c132
#7181 / #6854[email protected]
: Add newaccess
anddist-tags
endpoints (@othiym23)
29a6ef3
#6850 Be smarter about determining base of file deletion when unbuilding. (@phated)4ad01ea
[email protected]
: Support--save-exact
innpm init
. (@gustavnikolaj)
e662a60
The newwhoami
endpoint might not return a value. (@othiym23)c2cccd4
[email protected]
: Includes the following fine changes (@othiym23):
98e1e10
#6791 Add caching based on Last-Modified / If-Modified-Since headers. Includes this[email protected]
change (@lxe):
706d49a
#7107getCacheStat
passes a stub stat on Windows. (@rmg)5fce278
#5267 Use%COMSPEC%
when set on Windows. (@edmorley)cc2e099
#7083 Ensure Git cache prefix exists before repo clone on Windows. (@othiym23)
c6fb430
#4197 Reportumask
as a 0-padded octal literal. (@smikes)209713e
#4197[email protected]
: Properly handleumask
s (i.e. not decimal numbers). (@smikes)9eac0a1
Make the example for bin links non-destructive. (@KevinSheedy)6338bcf
[email protected]
: " -> ', for some reason. (@isaacs)
88c531d
#7056 version doesn't need a package.json. (@othiym23)2656c19
#7095 Link to npm website instead of registry. (@konklone)c76b801
#7067 Obfuscate secrets, including nerfed URLs. (@smikes)17f66ce
#6849 Explain the tag workflow more clearly. (@smikes)e309df6
#7096 Really,npm update -g
is almost always a terrible idea. (@smikes)acf287d
#6999npm run-script env
: add a new default script that will print out environment values. (@gcb)560c009
#6745 Documentnpm update --dev
. (@smikes)226a677
#7046 We have never been the Node package manager. (@linclark)38eef22
[email protected]
: Compatibility with npmlog@^1. (@iarna)
merry npm xmas
Working with @phated, I discovered that npm still had some lingering race conditions around how it handles Git dependencies. The following changes were intended to remedy to these issues. Thanks to @phated for all his help getting to the bottom of these.
bdf1c84
#7006 Onlychown
template and top-level Git cache directories. (@othiym23)581a72d
#7006 Map Git remote inflighting to clone paths rather than Git URLs. (@othiym23)1c48d08
#7009[email protected]
: Normalize Git URLs while caching. (@othiym23)5423cf0
#7009 Pack tarballs to their final locations atomically. (@othiym23)7f6557f
#7009 Inflight local directory packing, just to be safe. (@othiym23)
Other changes:
1c491e6
#6991npm version
: fix regression in dirty-checking behavior (@rlidwka)55ceb2b
#1991 modify docs to reflect actualnpm restart
behavior (@smikes)fb8e31b
#6982 when doing registry operations, ensure registry URL always ends with/
(@othiym23)5bcba65
pull whitelisted Git environment variables out into a named constant (@othiym23)be04bbd
#7000 No longer install badly-named manpage files, and log an error when trying to uninstall them. (@othiym23)6b7c5ec
#7011 Send auth for tarball fetches for packages innpm-shrinkwrap.json
from private registries. (@othiym23)9b9de06
[email protected]
: Better handling of trailing slashes. (@isaacs)030f3c7
[email protected]
: Diffing between version strings. (@isaacs)
a4e4e33
#6987[email protected]
: fixed a regression where a new / empty package would cause read-installed to throw. (@othiym23 / @pgilad)
e5a2dee
#6951[email protected]
: Usepath-is-inside
for better Windows normalization. (@othiym23)ac6167c
#6955 Callpath.normalize
inlib/utils/gently-rm.js
for better Windows normalization. (@ben-page)c625d71
#6964 Clarify CA configuration docs. (@jeffjo)58b8cb5
#6950 Fix documentation typos. (@martinvd)7c1299d
#6909 Remove confusing mention of rubygems~>
semver operator. (@mjtko)7dfdcc6
#6909[email protected]
: Synchronize documentation with PR #6909 (@othiym23)adfddf3
#6925 Correct typo indoc/api/npm-ls.md
(@oddurs)f5c534b
#6920 Remove recommendation to run as root fromREADME.md
. (@robertkowalski)3ef4459
#6920[email protected]
has gone the way of all things. That means it's gone. (@robertkowalski)
cbb890e
#6897 npm is a nice package manager that runs server-side JavaScript. (@othiym23)d9043c3
#6893 Remove erroneous docs about preupdate / update / postupdate lifecycle scripts, which have never existed. (@devTristan)c5df4d0
#6884 Update npmjs.org to npmjs.com in docs. (@linclark)cb6ff8d
#6879 npm version: Update shrinkwrap post-check. (@othiym23)2a340bd
#6868 Use magic numbers instead of regexps to distinguish tarballs from other things. (@daxxog)f1c8bdb
#6861[email protected]
: Distinguish between error properties that are part of the response and error strings that should be returned to the user. (@disrvptor)d3a1b63
#6762 Makenpm outdated
ignore private packages. (@KenanY)16d8542
install.sh: Drop support for node < 0.8, remove engines bits. (@isaacs)b9c6046
[email protected]
: (@terinstock) noticed thatinit.license
configuration doesn't stick. Make sure that dashed defaults don't trump dotted parameters. (@othiym23)b6d6acf
[email protected]
: No longer use graceful-fs for some reason. (@isaacs)d39f673
[email protected]
: Incorporate bug fixes. (@nylen)c7ad727
[email protected]
: Incorporate bug fixes. (@timoxley)
e5b1e44
add alias verison=version (@isaacs)5eed7bd
[email protected]
(@nylen)e72f81d
[email protected]
/[email protected]
(@isaacs)b8dcc36
[email protected]
(@isaacs)
4861d28
[email protected]
: License update. (@isaacs)30a2ea8
[email protected]
: License update. (@isaacs)6a4ea05
[email protected]
: Propagate error events to downstream streams. (@gfxmonk)a558695
[email protected]
: Don't extract broken files, propagatedrain
event. (@gfxmonk)989624e
#6767 Actually pass parameters when adding git repo to cach under Windows. (@othiym23)657af73
#6774 When verifying paths on unbuild, resolve both source and target as symlinks. (@hokaccha)fd19c40
#6713[email protected]
: Make it so thatnpm install foo@1
work when a file named1
exists. (@iarna)c8ac37a
[email protected]
: Fix regression in failed fetch retries. (@othiym23)
756f3d4
#6735 Log "already built" messages at info, not error. (@smikes)1b7330d
#6729[email protected]
: GitHub won't redirect you through an HTML page to a compressed tarball if you don't tell it you accept JSON responses. (@KenanY)d9c7857
#6506[email protected]
: Usegraceful-fs
so the whole dependency tree gets read, even in case ofEMFILE
. (@sakana)3a085be
Grammar fix in docs. (@icylace)3f8e2ff
Did you know that npm has a Code of Conduct? Add a link to it to CONTRIBUTING.md. (@isaacs)319ccf6
[email protected]
: Performance tuning. (@isaacs)835f046
[email protected]
: Bug fixes. (@rvagg)a34c38d
[email protected]
: Bug fixes. (@nylen)
eed9f61
#6542npm owner add / remove
now works properly with scoped packages (@othiym23)cd25973
#6548 using sudo won't leave the cache's git directories with bad permissions (@othiym23)56930ab
fixed irregularnpm cache ls
output (yes, that's a thing) (@othiym23)740f483
legacy tests no longer poison user's own cache (@othiym23)ce37f14
#6169 add terse output similar tonpm publish / unpublish
fornpm owner add / remove
(@KenanY)bf2b8a6
#6680 pass auth credentials to registry when downloading search index (@terinjokes)00ecb61
#6400.npmignore
is respected for git repos on cache / pack / publish (@othiym23)d1b3a9e
#6311npm ls -l --depth=0
no longer prints phantom duplicate children (@othiym23)07c5f34
#6690[email protected]
: clarify confusing names in error-handling code (@isaacs)1ac9be9
#6684npm init
: don't report write if canceled (@smikes)7bb207d
#5754 never remove app directories on failed install (@othiym23)705ce60
#5754[email protected]
: don't throw when another fs task writes to a directory being vacuumed (@othiym23)1b650f4
#6255 ensure that order credentials are used from.npmrc
doesn't regress (@othiym23)9bb2c34
#6644warn
rather thaninfo
on fetch failure (@othiym23)e34a7b6
#6524[email protected]
: proxy viarequest
more transparently (@othiym23)40afd6a
#6524 push proxy settings intorequest
(@tauren)
063d843
npm version now updates version in npm-shrinkwrap.json (@faiq)3f53cd7
#6559 save local dependencies in npm-shrinkwrap.json (@Torsph)e249262
npm-faq.md: mention scoped pkgs in namespace Q (@smikes)6b06ec4
#6642[email protected]
: Handle bothinit-author-name
andinit.author.name
. (@othiym23)9cb334c
#6409 document commit-ish with GitHub URLs (@smikes)0aefae9
#2959 npm run no longer fails silently (@flipside)e007a2c
#3908 include command in spawn errors (@smikes)
6750b05
#6398[email protected]
: consistent API, handle relative registry paths, use auth more consistently (@othiym23)7719cfd
#6560 use new npm-registry-client API (@othiym23)ed61971
move caching of search metadata fromnpm-registry-client
to npm itself (@othiym23)3457041
handle caching of metadata independently fromnpm-registry-client
(@othiym23)20a331c
#6538 map registry URLs to credentials more safely (@indexzero)4072e97
#6589[email protected]
: allow publishing of packages with names identical to built-in Node modules (@feross)254f0e4
[email protected]
: better error-handling (@runk)73ee2aa
[email protected]
(@mikeal)
681b398
#6523 fix defaultlogelevel
doc (@KenanY)80b368f
#6528npm version
should work in a git directory without git (@terinjokes)5f5f9e4
#6483[email protected]
: Properly pick up default values from environment variables. (@othiym23)a114870
perl 5.18.x doesn't like -pi without filenames (@othiym23)de5ba00
[email protected]
: Tests and cleanup. (@othiym23)76933f1
[email protected]
: Always includeLICENSE[.*]
,LICENCE[.*]
,CHANGES[.*]
,CHANGELOG[.*]
, andHISTORY[.*]
. (@jonathanong)
6a14b23
#6397 Defactor npmconf back into npm. (@othiym23)4000e33
#6323 InstallpeerDependencies
from top. (@othiym23)5d119ae
#6498 Better error messages on malformed.npmrc
properties. (@nicks)ae18efb
#6093 Replace instances of 'hash' with 'object' in documentation. (@zeke)53108b2
#1558 Clarify how local paths should be used. (@KenanY)344fa1a
#6488 Work around bug in marked. (@othiym23)
OUTDATED DEPENDENCY CLEANUP JAMBOREE
60c2942
[email protected]
: Handle names and rawSpecs more consistently. (@iarna)1b5c95f
[email protected]
: Change line endings? (@ForbesLindesay)d7dee3f
[email protected]
: Dependency updates, better proxy support, better compressed response handling, lots of 'use strict'. (@mikeal)3d75180
[email protected]
: Added gratuitous return. (@Domenic)8e2703f
[email protected]
/[email protected]
: Change of ownership. (@tim-kos)c87b00f
[email protected]
: Wrap once with wrappy. (@isaacs)01ec790
[email protected]
: Correct repository URL. (@robertkowalski)389e52c
[email protected]
: Now absolutely requiresgraceful-fs
. (@isaacs)e15ab15
[email protected]
: Tighten up whitespace handling. (@isaacs)7610f3e
[email protected]
(@substack)9c13149
[email protected]
: Add support for prerelease identifiers. (@bromanko)f096c25
[email protected]
: Add a bunch of additional tests, skip the unfortunate complications of[email protected]
. (@isaacs)
3aeb440
#6442 proxying git needsGIT_SSL_CAINFO
(@wmertens)a8da8d6
#6413 write builtin config on any global npm install (@isaacs)9e4d632
#6343 don't pass run arguments to pre & post scripts (@TheLudd)d831b1f
#6399 race condition: inflight installs, preventpeerDependency
problems (@othiym23)82b775d
#6384 race condition: inflight caching by URL rather than semver range (@othiym23)7bee042
[email protected]
: callback can take arbitrary number of parameters (@othiym23)3bff494
#5195 fixed regex color regression fornpm search
(@chrismeyersfsu)33ba2d5
#6387 allownpm view global
if package is specified (@evanlucas)99c4cfc
#6388 npm-publish → npm-developers(7) (@kennydude)
TEST CLEANUP EXTRAVAGANZA:
8d6bfcb
tap tests run with no system-wide side effects (@chrismeyersfsu)7a1472f
added npm cache cleanup script (@chrismeyersfsu)0ce6a37
stripped out dead test code (othiym23)- replace spawn with common.npm (@chrismeyersfsu):
BREAKING CHANGE FOR THE SQRT(i) PEOPLE ACTUALLY USING npm submodule
:
1e64473
rm -rf npm submodule
command, which has been broken since the Carter Administration (@isaacs)
BREAKING CHANGE IF YOU ARE FOR SOME REASON STILL USING NODE 0.6 AND YOU SHOULD NOT BE DOING THAT CAN YOU NOT:
3e431f9
joyent/node#8492 bye bye customFds, hello stdio (@othiym23)
Other changes:
ea607a8
#6372 noisily error (without aborting) on multi-{install,build} (@othiym23)3ee2799
#6372 only make cache creation requests in flight (@othiym23)1a90ec2
#6372 wait to put Git URLs in flight until normalized (@othiym23)664795b
#6372 log what is and isn't in flight (@othiym23)00ef580
[email protected]
: fix largely theoretical race condition, because we really really hate race conditions (@isaacs)1cde465
#6363[email protected]
: handle local dependencies better (@iarna)86f084c
[email protected]
: dependency realization! in its own module! (@iarna)553d830
[email protected]
: simplified semver, better tests (@iarna)bec9b61
[email protected]
: for some reason (@rvagg)ff08ec5
[email protected]
: use wrappy for instrumentability (@isaacs)
a1aa20e
#6282[email protected]
: don't prune bundledDependencies (@isaacs)a1f5fe1
move locks back into cache, now path-aware (@othiym23)a432c4b
convert lib/utils/tar.js to use atomic streams (@othiym23)b8c3c74
[email protected]
: Now works with streams1 fs.WriteStreams. (@isaacs)c7ab76f
logging cleanup (@othiym23)4b2d95d
#6329 efficiently validate tmp tarballs safely (@othiym23)
563225d
#6318 clean up locking; prefix lockfile with "." (@othiym23)c7f30e4
#6318 remove locking code around tarball packing and unpacking (@othiym23)
NEW FEATURE:
3635601
#5520 Add'npm view .'
. (@evanlucas)
Other changes:
f24b552
#6294 Lock cache → lock cache target. (@othiym23)ad54450
#6296 Ensure that npm-debug.log file is created when rollbacks are done. (@isaacs)6810071
docs: Default loglevel "http" → "warn". (@othiym23)35ac89a
Skip installation of installed scoped packages. (@timoxley)e468527
Ensure cleanup executes for scripts-whitespace-windows test. (@timoxley)ef9101b
Ensure cleanup executes for packed-scope test. (@timoxley)69b4d18
[email protected]
: Fix a race condition in our race-condition fixer. (@isaacs)26b17ff
#6272npmconf
decides what the default prefix is. (@othiym23)846faca
Fix development dependency is preferred over dependency. (@andersjanmyr)9d1a9db
#3265 Re-apply a71615a. Fixes #3265 again, with a test! (@glasser)1d41db0
[email protected]
: Fixes formatting of synopsis blocks in man docs. (@kapouer)a623da0
#5867 Specify dummy git template dir when cloning to prevent copying hooks. (@boneskull)
42c872b
#5920[email protected]
(@isaacs)6784767
#5920 make all write streams atomic (@isaacs)f6fac00
#5920 barf on 0-length cached tarballs (@isaacs)3b37592
[email protected]
: use graceful-fs (@iarna)
74c5ab0
#6201[email protected]
: scope always-auth to registry URI (@othiym23)774b127
#6201[email protected]
: use scoped always-auth settings (@othiym23)f2d2190
#6201 support saving--always-auth
when logging in (@othiym23)17c941a
#6163 usewrite-file-atomic
instead offs.writeFile()
(@fiws)fb5724f
#5925npm init -f
: allownpm init
to run without prompting (@michaelnisi)b706d63
#3059 disable prepublish when runningnpm install --production
(@jussi-kalliokoski)119f068
attach the node version used when publishing a package to its registry metadata (@othiym23)8fe0081
seriously, don't usenpm -g update npm
(@thomblake)ea5b3d4
[email protected]
(@othiym23)
BREAKING CHANGES:
4378a17
[email protected]
: prerelease versions no longer show up in ranges;^0.x.y
behaves the way it did insemver@2
rather thansemver@3
; docs have been reorganized for comprehensibility (@isaacs)c6ddb64
npm now assumes that node is newer than 0.6 (@isaacs)
Other changes:
ea515c3
#6043[email protected]
: wait until all callbacks have finished before proceeding (@othiym23)0b0a59d
#6043 defer rollbacks until just before the CLI exits (@isaacs)a11c88b
#6175 pack scoped packages correctly (@othiym23)e4e48e0
#6121[email protected]
: don't mark linked dev dependencies as extraneous (@isaacs)d673e41
[email protected]
: depend ongraceful-fs
directly (@ForbesLindesay)9d54d45
[email protected]
: make tests more reliable on Travis (@iarna)673d738
ensure permissions are set correctly in cache when running as root (@isaacs)6e6a5fb
prepare for upgrade to[email protected]
(@isaacs)ab8dd87
swap outronn
for[email protected]
(@isaacs)803da54
[email protected]
: prepare for[email protected]
and include more error information (@isaacs)4af0e71
make default error display less scary (@isaacs)4fd9e79
[email protected]
: handle errors returned by the registry much, much better (@othiym23)ca791e2
restore a long (always?) missing pass for deduping (@othiym23)ca0ef0e
correctly interpret relative paths for local dependencies (@othiym23)5eb8db2
[email protected]
: support git+file:// URLs for local bare repos (@othiym23)860a185
tweak docs to no longer advocate checking innode_modules
(@hunterloftis)80e9033
add links to nodejs.org downloads to docs (@meetar)
f4540b6
#6043 defer rollbacks until just before the CLI exits (@isaacs)1eabfd5
#6043[email protected]
: wait until all callbacks have finished before proceeding (@othiym23)
fa79413
#6119 fall back to registry installs if package.json is missing in a local directory (@iarna)16073e2
[email protected]
: support file URIs as local specs (@othiym23)9164acb
[email protected]
: don't match strings that are already URIs (@othiym23)4067d6b
#5629 support saving of local packages inpackage.json
(@dylang)1b2ffdf
#6097 document scoped packages (@seldo)0a67d53
#6007[email protected]
: properly set headers on proxy requests (@isaacs)9bac6b8
[email protected]
: disallow semver ranges in tag configuration (@isaacs)d2d4d7c
#6082 don't allow tagging with a semver range as the tag name (@isaacs)
4cf3c8f
#6007 [email protected]: properly set headers on proxy requests (@isaacs)403cb52
#6055 [email protected]: restore case-insensitivity of environmental config (@iarna)
SPECIAL LABOR DAY WEEKEND RELEASE PARTY WOOO
ed207e8
[email protected]
: Clean up auth logic and improve logging around auth decisions. Also error on trying to change a user document without writing to it. (@othiym23)66c7423
[email protected]
: support -C as an alias for --prefix (@isaacs)0dc6a07
#6059 run commands in prefix, not cwd (@isaacs)65d2179
[email protected]
: part 3 handle slashes in branch names (@robertkowalski)e8d75d0
#6057[email protected]
: properly handle extraneous dev dependencies of required dependencies (@othiym23)0602f70
#6064 ls: do not show deps of extraneous deps (@isaacs)
78a1fc1
[email protected]
: add support for git+https and git+ssh (@stefanbuck)bf247ed
[email protected]
(@othiym23)4bbe682
[email protected]
: upgrade to graceful-fs 3 (@ForbesLindesay)ae1d590
[email protected]
: accept slashes in branch names (@thealphanerd)b2f51ae
[email protected]
: semver.clean() is cleaner (@isaacs)1d041a8
[email protected]
: accept slashes in branch names (@robertkowalski)02c85d5
[email protected]
(@othiym23)5af493e
ensure lifecycle spawn errors caught properly (@isaacs)60fe012
[email protected]
: init.version defaults to 1.0.0 (@isaacs)b4c717b
[email protected]
: properly encode % in passwords (@isaacs)7b55f44
doc: Fix 'npm help index' (@isaacs)
eceea95
[email protected]
: add support for git+https and git+ssh (@stefanbuck)e561758
[email protected]
(@othiym23)0c4fab3
[email protected]
: upgrade to graceful-fs 3 (@ForbesLindesay)2d69e4d
[email protected]
: accept slashes in branch names (@robertkowalski)81f9b2b
ensure lifecycle spawn errors caught properly (@isaacs)bfaab8c
[email protected]
: properly encode % in passwords (@isaacs)91cfb58
doc: Fix 'npm help index' (@isaacs)
685f8be
[email protected]
: Print the notification header returned by the registry, and make sure status codes are printed without gratuitous quotes around them. (@isaacs / @othiym23)a8cb676
#5900 removenpm
from its ownengines
field inpackage.json
. None of us remember why it was there. (@timoxley)6c47201
#5752, #6013 save git URLs correctly in_resolved
fields (@isaacs)e4e1223
#5936 document the use of tags inpackage.json
(@KenanY)c92b8d4
#6004 manually installed scoped packages are tracked correctly (@dead-horse)21ca0aa
#5945 link scoped packages correctly (@dead-horse)16bead7
#5958 ensure that file streams work in all versions of node (@dead-horse)dbf0cab
you can now pass quoted args tonpm run-script
(@bcoe)0583874
[email protected]
: Add test for removing an extract target immediately after unpacking. (@isaacs)cdf3b04
[email protected]
: Fix incorrect interaction betweenwait
,stale
, andretries
options. Part 2 of race condition leading toENOENT
(@isaacs) errors.22d72a8
[email protected]
: Fix a double-finish call which can result in excess FS operations after theclose
event. Part 1 of race condition leading toENOENT
errors. (@isaacs)
64c0ec2
[email protected]
: Print the notification header returned by the registry, and make sure status codes are printed without gratuitous quotes around them. (@othiym23)a8ed12b
[email protected]
: Add test for removing an extract target immediately after unpacking. (@isaacs)70fd11d
[email protected]
: Fix incorrect interaction betweenwait
,stale
, andretries
options. Part 2 of race condition leading toENOENT
errors. (@isaacs)0072c4d
[email protected]
: Fix a double-finish call which can result in excess FS operations after theclose
event. Part 2 of race condition leading toENOENT
errors. (@isaacs)
f23f1d8
doc: update version doc to includepre-*
increment args (@isaacs)b6bb746
build: add 'make tag' to tag current release as latest (@isaacs)27c4bb6
build: publish with--tag=v1.4-next
(@isaacs)cff66c3
build: add script to outputv1.4-next
publish tag (@isaacs)22abec8
build: remove outdateddocpublish
make target (@isaacs)1be4de5
build: removeunpublish
step frommake publish
(@isaacs)e429e20
doc: add new changelog (@othiym23)9243d20
lifecycle: test lifecycle path modification (@isaacs)021770b
lifecycle: BREAKING CHANGE do not add the directory containing node executable (@chulkilee)1d5c41d
install: rename .gitignore when unpacking foreign tarballs (@isaacs)9aac267
cache: detect non-gzipped tar files more reliably (@isaacs)3f24755
[email protected]
(@isaacs)151cd2f
[email protected]
(@isaacs)f5a9434
test: fix Travis timeouts (@dylang)126cafc
[email protected]
(@othiym23)
9344bd9
doc: add new changelog (@othiym23)4be76fd
doc: update version doc to includepre-*
increment args (@isaacs)e4f2620
build: addmake tag
to tag current release aslatest
(@isaacs)ec2596a
build: publish with--tag=v1.4-next
(@isaacs)9ee55f8
build: add script to outputv1.4-next
publish tag (@isaacs)aecb56f
build: remove outdateddocpublish
make target (@isaacs)b57a9b7
build: remove unpublish step frommake publish
(@isaacs)2c6acb9
install: rename.gitignore
when unpacking foreign tarballs (@isaacs)22f3681
cache: detect non-gzipped tar files more reliably (@isaacs)
BREAKING CHANGE:
Other changes:
d987707
move fetch into npm-registry-client (@othiym23)9b318e2
[email protected]
(@isaacs)9d73de7
remove unnecessary mkdirps (@isaacs)33ccd13
Don't squash execute perms in_git-remotes/
dir (@adammeadows)48fd233
[email protected]
(@isaacs)
8dd11d1
update several dependencies to avoid usingsemver
s starting with 0.
d9a9e84
[email protected]
(@isaacs)86f0340
[email protected]
(@isaacs)a94136a
[email protected]
(@isaacs)bb82d18
[email protected]
(@isaacs)5b6bcf4
[email protected]
(@isaacs)c2aa8b3
license: Cleaned up legalese with actual lawyer (@isaacs)63fe0ee
[email protected]
(@isaacs)
This release bumps up to 2.0 because of this breaking change, which could potentially affect how your package's scripts are run:
Other changes:
cd422c9
#5748 link binaries for scoped packages (@othiym23)4c3c778
#5758npm link
includes scope when linking scoped package (@fengmk2)f9f58dd
#5707 document generic pre- / post-commands (@sudodoki)ac7a480
#5406npm cache
displays usage when called without arguments (@michaelnisi)f4554e9
Test fixes for Windows (@isaacs)- update dependencies (@othiym23)
- fall back to
_auth
config as default auth when using default registry (@isaacs) - support for 'init.version' for those who don't want to deal with semver 0.0.x oddities (@rvagg)
be06213
remove residual support forwin
log level (@aterris)
a3a85dd
--save
scoped packages correctly (@othiym23)18a3385
[email protected]
(@othiym23)375988b
invalid package names are an early error for optional deps (@othiym23)- consistently use
node-package-arg
instead of arbitrary package spec splitting (@othiym23)
88f51aa
fix handling for 301s in[email protected]
(@Raynos)
54cf625
fix handling for 301s in[email protected]
(@Raynos)e410861
don't crash if no username set onwhoami
(@isaacs)0353dde
respect--json
for output (@isaacs)b3d112a
outdated: Don't show headings if there's nothing to output (@isaacs)bb4b90c
outdated: Default tolatest
rather than*
for unspecified deps (@isaacs)
0353dde
respect--json
for output (@isaacs)b3d112a
outdated: Don't show headings if there's nothing to output (@isaacs)bb4b90c
outdated: Default tolatest
rather than*
for unspecified deps (@isaacs)
7f55057
install scoped packages (#5239) (@othiym23)0df7e16
publish scoped packages (#5239) (@othiym23)0689ba2
support (and save) --scope=@s config (@othiym23)f34878f
scope credentials to registry (@othiym23)0ac7ca2
capture and store bearer tokens when sent by registry (@othiym23)63c3277
only delete files that are created by npm (@othiym23)4f54043
[email protected]
(@othiym23)9e1460e
[email protected]
(@othiym23)719d8ad
[email protected]
(@othiym23)9ef8fe4
[email protected]
(@othiym23)a964f65
[email protected]
(@othiym23)113765b
[email protected]
(@othiym23)
f687433
relative URLS for working non-root registry URLS (@othiym23)bea190c
#5591 bump nopt and npmconf (@isaacs)
- Bump glob dependency from 4.0.2 to 4.0.3. It now uses graceful-fs when available, increasing resilience to various filesystem errors. (@isaacs)
- replace escape codes with ansicolors (@othiym23)
- Allow to build all the docs OOTB. (@GeJ)
- Use core.longpaths on win32 git - fixes #5525 (@bmeck)
[email protected]
(@isaacs)- Consolidate color sniffing in config/log loading process (@isaacs)
- add verbose log when project config file is ignored (@isaacs)
- npmconf: Float patch to remove 'scope' from config defs (@isaacs)
- doc: npm-explore can't handle a version (@robertkowalski)
- Add user-friendly errors for ENOSPC and EROFS. (@voodootikigod)
- bump tar and fstream deps (@isaacs)
- Run the npm-registry-couchapp tests along with npm tests (@isaacs)
- Same as v1.4.16, but with the spinner disabled, and a version number that starts with v1.2.
[email protected]
(@isaacs)[email protected]
(@isaacs)[email protected]
(@isaacs)[email protected]
(@isaacs)[email protected]
(@isaacs)[email protected]
(@isaacs)- removed redundant dependency (@othiym23)
[email protected]
(@isaacs)- Properly handle errors that can occur in the config-loading process (@isaacs)
- cache: atomic de-race-ified package.json writing (@isaacs)
[email protected]
(@isaacs)[email protected]
(@isaacs)[email protected]
(@isaacs)- Only spin the spinner when we're fetching stuff (@isaacs)
- Update
[email protected]
which removes ~/tmp as possible tmp-folder (@robertkowalski) [email protected]
(@isaacs)graceful-fs@3
(@isaacs)- Update glob and things depending on glob (@isaacs)
- github-url-from-username-repo and read-package-json updates (@isaacs)
[email protected]
(@isaacs)[email protected]
(@isaacs)- bump ansi and associated deps (@isaacs)
- char-spinner: update to not bork windows (@isaacs)
- Fix
npm install
on a tarball. (ed3abf1
, #5330, @othiym23) - Fix an issue with the spinner on Node 0.8.
(
9f00306
, @isaacs) - Re-add
npm.commands.cache.clean
andnpm.commands.cache.read
APIs, and documentnpm.commands.cache.*
as npm-cache(3). (e06799e
, @isaacs)
- remove normalize-package-data from top level, de-^-ify inflight dep (@isaacs)
- Always sort saved bundleDependencies (@isaacs)
- add inflight to bundledDependencies (@othiym23)
- fix
npm ls
labeling issue [email protected]
- default repository to https:// instead of git://
- addLocalTarball: Remove extraneous unpack (@isaacs)
- Massive cache folder refactor (@othiym23 and @isaacs)
- Busy Spinner, no http noise (@isaacs)
- Per-project .npmrc file support (@isaacs)
[email protected]
, Refactor config/uid/prefix loading process (@isaacs)- Allow once-disallowed characters in passwords (@isaacs)
- Send npm version as 'version' header (@isaacs)
- fix cygwin encoding issue (Karsten Tinnefeld)
- Allow non-github repositories with
npm repo
(@evanlucas) - Allow peer deps to be satisfied by grandparent
- Stop optional deps moving into deps on
update --save
(@timoxley) - Ensure only matching deps update with
update --save*
(@timoxley) - Add support for
prerelease
,preminor
,prepatch
tonpm version
- Don't set referer if already set
- fetch: Send referer and npm-session headers
run-script
: Support--parseable
and--json
- list runnable scripts (@evanlucas)
- Use marked instead of ronn for html docs
- Send referer header (with any potentially private stuff redacted)
- Fix critical typo bug in previous npm release
- Check SHA before using files from cache
- adduser: allow change of the saved password
- Make
npm install
respectconfig.unicode
- Fix lifecycle to pass
Infinity
for config env value - Don't return 0 exit code on invalid command
- cache: Handle 404s and other HTTP errors as errors
- Resolve ~ in path configs to env.HOME
- Include npm version in default user-agent conf
- npm init: Use ISC as default license, use save-prefix for deps
- Many test and doc fixes
- Add
--save-prefix
option that can be used to override the default of^
when usingnpm install --save
and its counterparts. (64eefdf
, @thlorenz) - Allow
--silent
to silence the echoing of commands that occurs withnpm run
. (c95cf08
, @Raynos) - Some speed improvements to the cache, which should improve install times.
(
cb94310
,3b0870f
,120f5a9
, @isaacs) - Improve ability to retry registry requests when a subset of the registry
servers are down.
(
4a5257d
, https://github.com/npm/npm-registry-client/commit/7686d02cb0b844626d6a401e58c0755ef3bc8432, @isaacs) - Fix marking of peer dependencies as extraneous.
(
779b164
, https://github.com/npm/read-installed/commit/6680ba6ef235b1ca3273a00b70869798ad662ddc, @isaacs) - Fix npm crashing when doing
npm shrinkwrap
in the presence of apackage.json
with no dependencies. (a9d9fa5
, @kislyuk) - Fix error when using
npm view
on packages that have no versions or have been unpublished. (94df2f5
, @juliangruber;2241a09
, @isaacs)
- Fix extraneous package detection to work in more cases.
(
f671286
, npm/read-installed#20, @LaurentVB)
- Sort dependencies in
package.json
when doingnpm install --save
and all its variants. (6fd6ff7
, @domenic) - Add
--save-exact
option, usable alongside--save
and its variants, which will write the exact version number intopackage.json
instead of the appropriate semver-compatibility range. (17f07df
, @timoxley) - Accept gzipped content from the registry to speed up downloads and save
bandwidth.
(
a3762de
, npm/npm-registry-client#40, @fengmk2) - Fix
npm ls
's--depth
and--log
options. (1d29b17
, npm/read-installed#13, @zertosh) - Fix "Adding a cache directory to the cache will make the world implode" in
certain cases.
(
9a4b2c4
, domenic/path-is-inside#1, @pmarques) - Fix readmes not being uploaded in certain rare cases.
(
527b72c
, @isaacs)
- Add
npm t
as an alias fornpm test
(which is itself an alias fornpm run test
, or evennpm run-script test
). We like making running your tests easy. (14e650b
, @isaacs)
- Add back
npm prune --production
, which was removed in 1.3.24. (acc4d02
, @davglass) - Default
npm install --save
and its counterparts to use the^
version specifier, instead of~
. (0a3151c
, @mikolalysenko) - Make
npm shrinkwrap
output dependencies in a sorted order, so that diffs between shrinkwrap files should be saner now. (059b2bf
, @Raynos) - Fix
npm dedupe
not correctly respecting dependency constraints. (86028e9
, @rafeca) - Fix
npm ls
giving spurious warnings when you used"latest"
as a version specifier. (https://github.com/npm/read-installed/commit/d2956400e0386931c926e0f30c334840e0938f14, @bajtos) - Fixed a bug where using
npm link
on packages without aname
value could cause npm to delete itself. (401a642
, @isaacs) - Fixed
npm install ./[email protected]
to actually install the directory at[email protected]
; before it would try to find version1.2.3
of the package./pkg
in the npm registry. (46d8768
, @rlidwka; see alsof851b79
) - Fix
npm outdated
to respect thecolor
configuration option. (d4f6f3f
, @timoxley) - Fix
npm outdated --parseable
. (9575a23
, @yhpark) - Fix a lockfile-related errors when using certain Git URLs.
(
164b97e
, @nigelzor)
- Fixed an issue related to mid-publish GET requests made against the registry. (https://github.com/npm/npm-registry-client/commit/acbec48372bc1816c67c9e7cbf814cf50437ff93, @isaacs)
- Fix
npm shrinkwrap
forgetting to shrinkwrap dependencies that were also development dependencies. (9c575c5
, @diwu1989) - Fixed publishing of pre-existing packages with uppercase characters in their name. (https://github.com/npm/npm-registry-client/commit/9345d3b6c3d8510dd5c4418f27ee1fce59acebad, @isaacs)
- Remove
npm publish --force
. See npm/npm-registry-couchapp#148. (@isaacs, npm/npm-registry-client@2c8dba990de6a59af6545b75cc00a6dc12777c2a) - Other changes to the registry client related to saved configs and couch logins. (@isaacs; npm/npm-registry-client@25e2b019a1588155e5f87d035c27e79963b75951, npm/npm-registry-client@9e41e9101b68036e0f078398785f618575f3cdde, npm/npm-registry-client@2c8dba990de6a59af6545b75cc00a6dc12777c2a)
- Show an error to the user when doing
npm update
and thepackage.json
specifies a version that does not exist. (@evanlucas,027a33a
) - Fix some issues with cache ownership in certain installation configurations.
(@outcoldman,
a132690
) - Fix issues where GitHub shorthand dependencies
user/repo
were not always treated the same as full Git URLs. (@robertkowalski, https://github.com/meryn/normalize-package-data/commit/005d0b637aec1895117fcb4e3b49185eebf9e240)
- Fixes and updates to publishing code
(
735427a
andc0ac832
, @isaacs) - Fix
npm bugs
with no arguments. (b99d465
, @Hoops)
- Make the search output prettier, with nice truncated columns, and a
--long
option to create wrapping columns. (20439b2
and3a6942d
, @timoxley) - Support multiple packagenames in
npm docs
. (823010b
, @timoxley) - Fix the
npm adduser
bug regarding "Error: default value must be string or number" again. (b9b4248
, @isaacs) - Fix
scripts
entries containing whitespaces on Windows. (80282ed
, @robertkowalski) - Fix
npm update
for Git URLs that have credentials in them (93fc364
, @danielsantiago) - Fix
npm install
overwritingnpm link
-ed dependencies when they are tagged Git dependencies. (af9bbd9
, @evanlucas) - Remove
npm prune --production
since it buggily removed some dependencies that were necessary for production; see #4509. Hopefully it can make its triumphant return, one day. (1101b6a
, @isaacs)
Dependency updates:
909cccf
[email protected]
a3891b6
[email protected]
ac6efbc
[email protected]
dd30038
[email protected]
c8c3ebe
[email protected]
4315286
[email protected]
- Properly handle installations that contained a certain class of circular
dependencies.
(
5dc93e8
, @substack)
- Fix a critical bug in
npm adduser
that would manifest in the error message "Error: default value must be string or number." (fba4bd2
, @isaacs) - Allow
npm bugs
in the current directory to open the current package's bugs URL. (d04cf64
, @evanlucas) - Several fixes to various error messages to include more useful or updated
information.
(
1e6f2a7
,ff46366
,8b4bb48
; @rlidwka, @evanlucas)
- Fix a critical bug that prevented publishing due to incorrect hash
calculation.
(
4ca4a2c
, @dominictarr)
- Fixes a critical bug in v1.3.19. Thankfully, due to that bug, no one could install npm v1.3.19 :)
- Adds atomic PUTs for publishing packages, which should result in far fewer requests and less room for replication errors on the server-side.
- Added an
--ignore-scripts
option, which will preventpackage.json
scripts from being run. Most notably, this will work onnpm install
, so e.g.npm install --ignore-scripts
will not run preinstall and prepublish scripts. (d7e67bf
, @sqs) - Fixed a bug introduced in 1.3.16 that would manifest with certain cache
configurations, by causing spurious errors saying "Adding a cache directory
to the cache will make the world implode."
(
966373f
, @domenic) - Re-fixed the multiple download of URL dependencies, whose fix was reverted in
1.3.17.
(
a362c3f
, @spmason)
- This release reverts
644c2ff
, which avoided re-downloading URL and shinkwrap dependencies when doingnpm install
. You can see the in-depth reasoning ind8c907e
; the problem was, that the patch changed the behavior ofnpm install -f
to reinstall all dependencies. - A new version of the no-re-downloading fix has been submitted as #4303 and will hopefully be included in the next release.
- Git URL dependencies are now updated on
npm install
, fixing a two-year old bug (5829ecf
, @robertkowalski). Additional progress on reducing the resulting Git-related I/O is tracked as #4191, but for now, this will be a big improvement. - Added a
--json
mode tonpm outdated
to give a parseable output. (0b6c9b7
, @yyx990803) - Made
npm outdated
much prettier and more useful. It now outputs a color-coded and easy-to-read table. (fd3017f
, @quimcalpe) - Added the
--depth
option tonpm outdated
, so that e.g. you can donpm outdated --depth=0
to show only top-level outdated dependencies. (1d184ef
, @yyx990803) - Added a
--no-git-tag-version
option tonpm version
, for doing the usual job ofnpm version
minus the Git tagging. This could be useful if you need to increase the version in other related files before actually adding the tag. (59ca984
, @evanlucas) - Made
npm repo
andnpm docs
work without any arguments, adding them to the list of npm commands that work on the package in the current directory when invoked without arguments. (bf9048e
, @robertkowalski;07600d0
, @wilmoore). There are a few other commands we still want to implement this for; see #4204. - Pass through the
GIT_SSL_NO_VERIFY
environment variable to Git, if it is set; we currently do this with a few other environment variables, but we missed that one. (c625de9
, @arikon) - Fixed
npm dedupe
on Windows due to incorrect path separators being used (7677de4
, @mcolyer). - Fixed the
npm help
command when multiple words were searched for; it previously gave aReferenceError
. (6a28dd1
, @dereckson) - Stopped re-downloading URL and shrinkwrap dependencies, as demonstrated in
#3463
(
644c2ff
, @spmason). You can use the--force
option to force re-download and installation of all dependencies.