@ -1,3 +1,326 @@
### v2.8.3 (2015-04-15):
#### TWO SMALL GIT TWEAKS
This is the last of a set of releases intended to ensure npm's git support is
robust enough that we can stop working on it for a while. These fixes are
small, but prevent a common crasher and clear up one of the more confusing
error messages coming out of npm when working with repositories hosted on git.
* [`387f889` ](https://github.com/npm/npm/commit/387f889c0e8fb617d9cc9a42ed0a3ec49424ab5d )
[#7961 ](https://github.com/npm/npm/issues/7961 ) Ensure that hosted git SSH
URLs always have a valid protocol when stored in `resolved` fields in
`npm-shrinkwrap.json` . ([@othiym23](https://github.com/othiym23))
* [`394c2f5` ](https://github.com/npm/npm/commit/394c2f5a1227232c0baf42fbba1402aafe0d6ffb )
Switch the order in which hosted Git providers are checked to `git:` ,
`git+https:` , then `git+ssh:` (from `git:` , `git+ssh:` , then `git+https:` ) in
an effort to go from most to least likely to succeed, to make for less
confusing error message. ([@othiym23](https://github.com/othiym23))
### v2.8.2 (2015-04-14):
#### PEACE IN OUR TIME
npm has been having an issue with CouchDB's web server since the release
of io.js and Node.js 0.12.0 that has consumed a huge amount of my time
to little visible effect. Sam Mikes picked up the thread from me, and
after a [_lot_ of effort ](https://github.com/npm/npm/issues/7699#issuecomment-93091111 )
figured out that ultimately there are probably a couple problems with
the new HTTP Agent keep-alive handling in new versions of Node. In
addition, `npm-registry-client` was gratuitously sending a body along
with a GET request which was triggering the bugs. Sam removed about 10 bytes from
one file in `npm-registry-client` , and this problem, which has been bugging us for months,
completely went away.
In conclusion, Sam Mikes is great, and anybody using a private registry
hosted on CouchDB should thank him for his hard work. Also, thanks to
the community at large for pitching in on this bug, which has been
around for months now.
* [`431c3bf` ](https://github.com/npm/npm/commit/431c3bf6cdec50f9f0c735f478cb2f3f337d3313 )
[#7699 ](https://github.com/npm/npm/issues/7699 ) `npm-registry-client@6.3.2` :
Don't send body with HTTP GET requests when logging in.
([@smikes](https://github.com/smikes))
### v2.8.1 (2015-04-12):
#### CORRECTION: NPM'S GIT INTEGRATION IS DOING OKAY
A [helpful bug report ](https://github.com/npm/npm/issues/7872#issuecomment-91809553 )
led to another round of changes to
[`hosted-git-info` ](https://github.com/npm/hosted-git-info/commit/827163c74531b69985d1ede7abced4861e7b0cd4 ),
some additional test-writing, and a bunch of hands-on testing against actual
private repositories. While the complexity of npm's git dependency handling is
nearly fractal (because npm is very complex, and git is even more complex),
it's feeling way more solid than it has for a while. We think this is a
substantial improvement over what we had before, so give `npm@2.8.1` a shot if
you have particularly complex git use cases and
[let us know ](https://github.com/npm/npm/issues/new ) how it goes.
(NOTE: These changes mostly affect cloning and saving references to packages
hosted in git repositories, and don't address some known issues with things
like lifecycle scripts not being run on npm dependencies. Work continues on
other issues that affect parity between git and npm registry packages.)
* [`66377c6` ](https://github.com/npm/npm/commit/66377c6ece2cf4d53d9a618b7d9824e1452bc293 )
[#7872 ](https://github.com/npm/npm/issues/7872 ) `hosted-git-info@2.1.2` : Pass
through credentials embedded in SSH and HTTPs git URLs.
([@othiym23](https://github.com/othiym23))
* [`15efe12` ](https://github.com/npm/npm/commit/15efe124753257728a0ddc64074fa5a4b9c2eb30 )
[#7872 ](https://github.com/npm/npm/issues/7872 ) Use the new version of
`hosted-git-info` to pass along credentials embedded in git URLs. Test it.
Test it a lot. ([@othiym23](https://github.com/othiym23))
#### SCOPED DEPENDENCIES AND PEER DEPENDENCIES: NOT QUITE REESE'S
Big thanks to [@ewie ](https://github.com/ewie ) for identifying an issue with
how npm was handling `peerDependencies` that were implicitly installed from the
`package.json` files of scoped dependencies. This
[will be a moot point ](https://github.com/npm/npm/issues/6565#issuecomment-74971689 )
with the release of `npm@3` , but until then, it's important that
`peerDependency` auto-installation work as expected.
* [`b027319` ](https://github.com/npm/npm/commit/b0273190c71eba14395ddfdd1d9f7ba625297523 )
[#7920 ](https://github.com/npm/npm/issues/7920 ) Scoped packages with
`peerDependencies` were installing the `peerDependencies` into the wrong
directory. ([@ewie](https://github.com/ewie))
* [`649e31a` ](https://github.com/npm/npm/commit/649e31ae4fd02568bae5dc6b4ea783431ce3d63e )
[#7920 ](https://github.com/npm/npm/issues/7920 ) Test `peerDependency`
installs involving scoped packages using `npm-package-arg` instead of simple
path tests, for consistency. ([@othiym23](https://github.com/othiym23))
#### MAKING IT EASIER TO WRITE NPM TESTS, VERSION 0.0.1
[@iarna ](https://github.com/iarna ) and I
([@othiym23](https://github.com/othiym23)) have been discussing a
[candidate plan ](https://github.com/npm/npm/wiki/rewriting-npm's-tests:-a-plan-maybe )
for improving npm's test suite, with the goal of making it easier for new
contributors to get involved with npm by reducing the learning curve
necessary to be able to write good tests for proposed changes. This is the
first substantial piece of that effort. Here's what the commit message for
[`ed7e249` ](https://github.com/npm/npm/commit/ed7e249d50444312cd266942ce3b89e1ca049bdf )
had to say about this work:
> It's too difficult for npm contributors to figure out what the conventional
> style is for tests. Part of the problem is that the documentation in
> CONTRIBUTING.md is inadequate, but another important factor is that the tests
> themselves are written in a variety of styles. One of the most notable
> examples of this is the fact that many tests use fixture directories to store
> precooked test scenarios and package.json files.
>
> This had some negative consequences:
>
> * tests weren't idempotent
> * subtle dependencies between tests existed
> * new tests get written in this deprecated style because it's not
> obvious that the style is out of favor
> * it's hard to figure out why a lot of those directories existed,
> because they served a variety of purposes, so it was difficult to
> tell when it was safe to remove them
>
> All in all, the fixture directories were a major source of technical debt, and
> cleaning them up, while time-consuming, makes the whole test suite much more
> approachable, and makes it more likely that new tests written by outside
> contributors will follow a conventional style. To support that, all of the
> tests touched by this changed were cleaned up to pass the `standard` style
> checker.
And here's a little extra context from a comment I left on [#7929 ](https://github.com/npm/npm/issues/7929 ):
> One of the other things that encouraged me was looking at this
> [presentation on technical debt ](http://www.slideshare.net/nnja/pycon-2015-technical-debt-the-monster-in-your-closet )
> from Pycon 2015, especially slide 53, which I interpreted in terms of
> difficulty getting new contributors to submit patches to an OSS project like
> npm. npm has a long ways to go, but I feel good about this change.
* [`ed7e249` ](https://github.com/npm/npm/commit/ed7e249d50444312cd266942ce3b89e1ca049bdf )
[#7929 ](https://github.com/npm/npm/issues/7929 ) Eliminate fixture directories
from `test/tap` , leaving each test self-contained.
([@othiym23](https://github.com/othiym23))
* [`4928d30` ](https://github.com/npm/npm/commit/4928d30140821c63e03fffed73f8d88ebdc43710 )
[#7929 ](https://github.com/npm/npm/issues/7929 ) Move fixture files from
`test/tap/*` to `test/fixtures` . ([@othiym23](https://github.com/othiym23))
* [`e925deb` ](https://github.com/npm/npm/commit/e925debca91092a814c1a00933babc3a8cf975be )
[#7929 ](https://github.com/npm/npm/issues/7929 ) Tweak the run scripts to stop
slaughtering the CPU on doc rebuild.
([@othiym23](https://github.com/othiym23))
* [`65bf7cf` ](https://github.com/npm/npm/commit/65bf7cffaf91c426b676c47529eee796f8b8b75c )
[#7923 ](https://github.com/npm/npm/issues/7923 ) Use an alias of scripts and
run-scripts in `npm run test-all` ([@watilde](https://github.com/watilde))
* [`756a3fb` ](https://github.com/npm/npm/commit/756a3fbb852a2469afe706635ed88d22c37743e5 )
[#7923 ](https://github.com/npm/npm/issues/7923 ) Sync timeout time of `npm
run-script test-all` to be the same as `test` and `tap` scripts.
([@watilde](https://github.com/watilde))
* [`8299b5f` ](https://github.com/npm/npm/commit/8299b5fb6373354a7fbaab6f333863758812ae90 )
Set a timeout for tap tests for `npm run-script test-all` .
([@othiym23](https://github.com/othiym23))
#### THE EVER-BEATING DRUM OF DEPENDENCY UPDATES
* [`d90d0b9` ](https://github.com/npm/npm/commit/d90d0b992acbf62fd5d68debf9d1dbd6cfa20804 )
[#7924 ](https://github.com/npm/npm/issues/7924 ) Remove `child-process-close` ,
as it was included for Node 0.6 compatibility, and npm no longer supports
0.6. ([@robertkowalski](https://github.com/robertkowalski))
* [`16427c1` ](https://github.com/npm/npm/commit/16427c1f3ea3d71ee753c62eb4c2663c7b32b84f )
`lru-cache@2.5.2` : More accurate updating of expiry times when `maxAge` is
set. ([@isaacs](https://github.com/isaacs))
* [`03cce83` ](https://github.com/npm/npm/commit/03cce83b64344a9e0fe036dce214f4d68cfcc9e7 )
`nock@1.6.0` : Mocked network error handling.
([@pgte](https://github.com/pgte))
* [`f93b1f0` ](https://github.com/npm/npm/commit/f93b1f0b7eb5d1b8a7967e837bbd756db1091d00 )
`glob@5.0.5` : Use `path-is-absolute` polyfill, allowing newer Node.js and
io.js versions to use `path.isAbsolute()` .
([@sindresorhus](https://github.com/sindresorhus))
* [`a70d694` ](https://github.com/npm/npm/commit/a70d69495a6e96997e64855d9e749d943ee6d64f )
`request@2.55.0` : Bug fixes and simplification.
([@simov](https://github.com/simov))
* [`2aecc6f` ](https://github.com/npm/npm/commit/2aecc6f4083526feeb14615b4e5484edc66175b5 )
`columnify@1.5.1` : Switch to using babel from 6to5.
([@timoxley](https://github.com/timoxley))
### v2.8.0 (2015-04-09):
#### WE WILL NEVER BE DONE FIXING NPM'S GIT SUPPORT
If you look at [the last release's release
notes](https://github.com/npm/npm/blob/master/CHANGELOG.md#git-mean-git-tuff-git-all-the-way-away-from-my-stuff),
you will note that they confidently assert that it's perfectly OK to force all
GitHub URLs through the same `git:` -> `git+ssh:` fallback flow for cloning. It
turns out that many users depend on `git+https:` URLs in their build
environments because they use GitHub auth tokens instead of SSH keys. Also, in
some cases you just want to be able to explicitly say how a given dependency
should be cloned from GitHub.
Because of the way we resolved the inconsistency in GitHub shorthand handling
[before ](https://github.com/npm/npm/blob/master/CHANGELOG.md#bug-fixes-1 ), this
turned out to be difficult to work around. So instead of hacking around it, we
completely redid how git is handled within npm and its attendant packages.
Again. This time, we changed things so that `normalize-package-data` and
`read-package-json` leave more of the git logic to npm itself, which makes
handling shorthand syntax consistently much easier, and also allows users to
resume using explicit, fully-qualified git URLs without npm messing with them.
Here's a summary of what's changed:
* Instead of converting the GitHub shorthand syntax to a `git+ssh:` , `git:` , or
`git+https:` URL and saving that, save the shorthand itself to
`package.json` .
* If presented with shortcuts, try cloning via the git protocol, SSH, and HTTPS
(in that order).
* No longer prompt for credentials -- it didn't work right with the spinner,
and wasn't guaranteed to work anyway. We may experiment with doing this a
better way in the future. Users can override this by setting `GIT_ASKPASS` in
their environment if they want to experiment with interactive cloning, but
should also set `--no-spin` on the npm command line (or run `npm config set
spin=false`).
* **EXPERIMENTAL FEATURE** : Add support for `github:` , `gist:` , `bitbucket:` ,
and `gitlab:` shorthand prefixes. GitHub shortcuts will continue to be
normalized to `org/repo` instead of being saved as `github:org/repo` , but
`gitlab:` , `gist:` , and `bitbucket:` prefixes will be used on the command
line and from `package.json` . BE CAREFUL WITH THIS. `package.json` files
published with the new shorthand syntax can _only_ be read by `npm@2.8.0` and
later, and this feature is mostly meant for playing around with it. If you
want to save git dependencies in a form that older versions of npm can read,
use `--save-exact` , which will save the git URL and resolved commit hash of
the head of the branch in a manner similar to the way that `--save-exact`
pins versions for registry dependencies. This is documented (so check `npm
help install` for details), but we're not going to make a lot of noise about
it until it has a chance to bake in a little more.
It is [@othiym23 ](https://github.com/othiym23 )'s sincere hope that this will
resolve all of the inconsistencies users were seeing with GitHub and git-hosted
packages, but given the level of change here, that may just be a fond wish.
Extra testing of this change is requested.
* [`6b0f588` ](https://github.com/npm/npm/commit/6b0f58877f37df9904490ffbaaad33862bd36dce )
[#7867 ](https://github.com/npm/npm/issues/7867 ) Use git shorthand and git
URLs as presented by user. Support new `hosted-git-info` shortcut syntax.
Save shorthand in `package.json` . Try cloning via `git:` , `git+ssh:` , and
`git+https:` , in that order, when supported by the underlying hosting
provider. ([@othiym23](https://github.com/othiym23))
* [`75d4267` ](https://github.com/npm/npm/commit/75d426787869d54ca7400408f562f971b34649ef )
[#7867 ](https://github.com/npm/npm/issues/7867 ) Document new GitHub, GitHub
gist, Bitbucket, and GitLab shorthand syntax.
([@othiym23](https://github.com/othiym23))
* [`7d92c75` ](https://github.com/npm/npm/commit/7d92c7592998d90ec883fa989ca74f04ec1b93de )
[#7867 ](https://github.com/npm/npm/issues/7867 ) When `--save-exact` is used
with git shorthand or URLs, save the fully-resolved URL, with branch name
resolved to the exact hash for the commit checked out.
([@othiym23](https://github.com/othiym23))
* [`9220e59` ](https://github.com/npm/npm/commit/9220e59f8def8c82c6d331a39ba29ad4c44e3a9b )
[#7867 ](https://github.com/npm/npm/issues/7867 ) Ensure that non-prefixed and
non-normalized GitHub shortcuts are saved to `package.json` .
([@othiym23](https://github.com/othiym23))
* [`dd398e9` ](https://github.com/npm/npm/commit/dd398e98a8eba27eeba84378200da3d078fdf980 )
[#7867 ](https://github.com/npm/npm/issues/7867 ) `hosted-git-info@2.1.1` :
Ensure that `gist:` shorthand survives being round-tripped through
`package.json` . ([@othiym23](https://github.com/othiym23))
* [`33d1420` ](https://github.com/npm/npm/commit/33d1420bf2f629332fceb2ac7e174e63ac48f96a )
[#7867 ](https://github.com/npm/npm/issues/7867 ) `hosted-git-info@2.1.0` : Add
support for auth embedded directly in git URLs.
([@othiym23](https://github.com/othiym23))
* [`23a1d5a` ](https://github.com/npm/npm/commit/23a1d5a540e8db27f5cd0245de7c3694e2bddad1 )
[#7867 ](https://github.com/npm/npm/issues/7867 ) `hosted-git-info@2.0.2` : Make
it possible to determine in which form a hosted git URL was passed.
([@iarna](https://github.com/iarna))
* [`eaf75ac` ](https://github.com/npm/npm/commit/eaf75acb718611ad5cfb360084ec86938d9c66c5 )
[#7867 ](https://github.com/npm/npm/issues/7867 )
`normalize-package-data@2.0.0` : Normalize GitHub specifiers so they pass
through shortcut syntax and preserve explicit URLs.
([@iarna](https://github.com/iarna))
* [`95e0535` ](https://github.com/npm/npm/commit/95e0535e365e0aca49c634dd2061a0369b0475f1 )
[#7867 ](https://github.com/npm/npm/issues/7867 ) `npm-package-arg@4.0.0` : Add
git URL and shortcut to hosted git spec and use `hosted-git-info@2.0.2` .
([@iarna](https://github.com/iarna))
* [`a808926` ](https://github.com/npm/npm/commit/a8089268d5f3d57f42dbaba02ff6437da5121191 )
[#7867 ](https://github.com/npm/npm/issues/7867 )
`realize-package-specifier@3.0.0` : Use `npm-package-arg@4.0.0` and test
shortcut specifier behavior. ([@iarna](https://github.com/iarna))
* [`6dd1e03` ](https://github.com/npm/npm/commit/6dd1e039bddf8cf5383343f91d84bc5d78acd083 )
[#7867 ](https://github.com/npm/npm/issues/7867 ) `init-package-json@1.4.0` :
Allow dependency on `read-package-json@2.0.0` .
([@iarna](https://github.com/iarna))
* [`63254bb` ](https://github.com/npm/npm/commit/63254bb6358f66752aca6aa1a275271b3ae03f7c )
[#7867 ](https://github.com/npm/npm/issues/7867 ) `read-installed@4.0.0` : Use
`read-package-json@2.0.0` . ([@iarna](https://github.com/iarna))
* [`254b887` ](https://github.com/npm/npm/commit/254b8871f5a173bb464cc5b0ace460c7878b8097 )
[#7867 ](https://github.com/npm/npm/issues/7867 ) `read-package-json@2.0.0` :
Use `normalize-package-data@2.0.0` . ([@iarna](https://github.com/iarna))
* [`0b9f8be` ](https://github.com/npm/npm/commit/0b9f8be62fe5252abe54d49e36a696f4816c2eca )
[#7867 ](https://github.com/npm/npm/issues/7867 ) `npm-registry-client@6.3.0` :
Mark compatibility with `normalize-package-data@2.0.0` and
`npm-package-arg@4.0.0` . ([@iarna](https://github.com/iarna))
* [`f40ecaa` ](https://github.com/npm/npm/commit/f40ecaad68f77abc50eb6f5b224e31dec3d250fc )
[#7867 ](https://github.com/npm/npm/issues/7867 ) Extract a common method to
use when cloning git repos for testing.
([@othiym23](https://github.com/othiym23))
#### TEST FIXES FOR NODE 0.8
npm continues to [get closer ](https://github.com/npm/npm/issues/7842 ) to being
completely green on Travis for Node 0.8.
* [`26d36e9` ](https://github.com/npm/npm/commit/26d36e9cf0eca69fe1863d2ea536c28555b9e8de )
[#7842 ](https://github.com/npm/npm/issues/7842 ) When spawning child
processes, map exit code 127 to ENOENT so Node 0.8 handles child process
failures the same as later versions.
([@SonicHedgehog](https://github.com/SonicHedgehog))
* [`54cd895` ](https://github.com/npm/npm/commit/54cd8956ea783f96749e46597d8c2cb9397c5d5f )
[#7842 ](https://github.com/npm/npm/issues/7842 ) Node 0.8 requires -e with -p
when evaluating snippets; fix test.
([@SonicHedgehog](https://github.com/SonicHedgehog))
#### SMALL FIX AND DOC TWEAK
* [`20e9003` ](https://github.com/npm/npm/commit/20e90031b847e9f7c7168f3dad8b1e526f9a2586 )
`tar@2.0.1` : Fix regression where relative symbolic links within an
extraction root that pointed within an extraction root would get normalized
to absolute symbolic links. ([@isaacs](https://github.com/isaacs))
* [`2ef8898` ](https://github.com/npm/npm/commit/2ef88989c41bee1578570bb2172c90ede129dbd1 )
[#7879 ](https://github.com/npm/npm/issues/7879 ) Better document that `npm
publish --tag=foo` will not set `latest` to that version.
([@linclark](https://github.com/linclark))
### v2.7.6 (2015-04-02):
#### GIT MEAN, GIT TUFF, GIT ALL THE WAY AWAY FROM MY STUFF