307 KiB
v3.3.10 (2015-10-22):
Hey you all! Welcome to a busy bug fix and PR week. We've got changes
to how npm install
replaces dependencies during updates, improvements
to shrinkwrap behavior, and all sorts of doc updates.
In other news, npm@3
landed in node master in preparation for node@5
with 41923c0
.
UPDATED DEPS NOW MAKE MORE SENSE
971fd47
#9929 Make the tree more consistent by doing updates in place. This means that trees after a dependency version update will more often look the same as after a fresh install. (@iarna)
SHRINKWRAP + DEV DEPS NOW RESPECTED
eb28a8c
#9647 If a shrinkwrap already has dev deps, don't throw them away when someone later runsnpm install --save
. (@iarna)
FANTASTIC DOCUMENTATION UPDATES
291162c
#10021 Improve wording in the FAQ to be more empathetic and less jokey. (@TaMe3971)9a28c54
#10020 Document the command to see the list of config defaults in the section on config defaults. (@lady3bean)8770b0a
#7600 Add shortcuts to all command documentation. (@RichardLitt)e9b7d0d
#9950 On errors that can be caused by outdated node & npm, suggest updating as a part of the error message. (@ForbesLindesay)
NEW STANDARD HAS ALWAYS BEEN STANDARD
v3.3.9 (2015-10-15):
This week sees a few small changes ready to land:
TRAVIS NODE 0.8 BUILDS REJOICE
25a234b
#9668 Installnpm@3
's bundled dependencies withnpm@2
, so that the ancient npm that ships with node 0.8 can installnpm@3
directly. (@othiym23)
SMALL ERROR MESSAGE IMPROVEMENT
a332f61
#9927 Update error messages where we report a list of versions that you could have installed to show this as a comma separated list instead of as JSON. (@iarna)
DEPENDENCY UPDATES
4cd74b0
nock@2.15.0
(@pgte)9360976
tap@2.1.1
(@isaacs)1ead0a4
which@1.2.0
(@isaacs)759f88a
has-unicode@1.0.1
(@iarna)
v3.3.8 (2015-10-12):
This is a small update release, we're reverting
22a3af0
from last week's
release, as it is resulting in crashes. We'll revisit this PR during this
week.
v3.3.7 (2015-10-08):
So, as Kat mentioned in last week's 2.x release, we're now swapping weeks between accepting PRs and doing dependency updates, in an effort to keep release management work from taking over our lives. This week is a PR week, so we've got a bunch of goodies for you.
Relatedly, this week means 3.3.6 is now latest
and it is WAY faster than
previous 3.x releases. Give it or this a look!
OPTIONAL DEPS, MORE OPTIONAL
2289234
#9643 #9664npm@3
was triggeringnpm@2
's build mechanics when it was linking bin files into the tree. This was originally intended to trigger rebuilds of bundled modules, butnpm@3
's flat module structure confused it. This caused two seemingly unrelated issues. First, failing optional dependencies could under some circumstances (if they were built during this phase) trigger a full build failure. And second, rebuilds were being triggered of already installed modules, again, in some circumstances. Both of these are fixed by disabling thenpm@2
mechanics and adding a special rebuild phase for the initial installation of bundled modules. (@iarna)
BAD NAME, NO CRASH
b78fec9
#9766 Refactor all attempts to read the module name or package name to go via a single function, with appropriate guards unusual circumstances where they aren't where we expect them. This ultimately will ensure we don't see any more recurrences of thelocaleCompare
error and related crashers. (@iarna)
MISCELLANEOUS BUG FIXES
22a3af0
#9553 Factor the lifecycle code to manage paths out into its own module and use that. (@kentcdodds)6a29fe3
#9677 Start testing our stuff in node 4 on travis (@fscherwi)508c6a4
#9669 MakerecalculateMetadata
more resilient to unexpectedly bogus dependency specifiers. (@tmct)3c44763
#9643 Updateinstall --only
to ignore theNODE_ENV
var and just use the only value, if specified. (@watilde)87336c3
#9879npm@3
's shrinkwrap was refusing to shrinkwrap if an optional dependency was missing– patch it to allow this. (@mantoni)
DOCUMENTATION UPDATES
82659fd
#9208 Correct the npm style guide around quote usage (@aaroncrows)a69c83a
#9645 Fix spelling error in README (@dkoleary88)f2cf054
#9714 Fix typos in our documentation (@reggi)7224bef
#9759 Fix typo in npm-team docs (@zkat)7e6e007
#9820 Correct documentation as tobinding.gyp
(@KenanY)
v2.14.8 (2015-10-08):
SLOWLY RECOVERING FROM FEELINGS
OS&F is definitely my favorite convention I've gone to. Y'all should check it out next year! Rebecca and Kat are back, although Forrest is out at &yet conf.
This week sees another tiny LTS release with non-code-related patches -- just CI/release things.
Meanwhile, have you heard? npm@3
is much faster now! Go upgrade with npm install -g npm@latest
and give it a whirl if you haven't already!
IF YOU CHANGE CASING ON A FILE, YOU ARE NOT MY FRIEND
Seriously. I love me some case-sensitive filesystems, but a lot of us have to
deal with git
and its funky support for case normalizing systems. Have mercy
and just don't bother if all you're changing is casing, please? Otherwise, I
have to do this little dance to prevent horrible conflicts.
c3a7b61
#9804 Remove the readme file with weird casing. (@zkat)f3f619e
#9804 Add the readme file back in, with desired casing. (@zkat)
IDK. OUR CI DOESN'T EVEN FULLY WORK YET BUT SURE
Either way, it's nice to make sure we're running stuff on the latest Node. 4.2
is getting released very soon, though (this week?), and that'll be the first
official LTS release!
v2.14.7 (2015-10-01):
MORE RELEASE STAGGERING?!
Hi all, and greetings from Open Source & Feelings!
So we're switching gears a little with how we handle our weekly releases: from now on, we're going to stagger release weeks between dependency bumps and regular patches. So, this week, aside from a doc change, we'll be doing only version bumps. Expect actual patches next week!
TOTALLY FOLLOWING THE RULES ALREADY
So I snuck this in, because it's our own @snopeks'
first contribution to the main npm
repo. She's been helping with building
support documents for Orgs, and contributed her general intro guide to the new
feature so you can read it with npm help orgs
right in your terminal!
JUST. ONE. MORE.
OKAY ACTUALLY THE THING I WAS SUPPOSED TO DO
Anyway -- here's your version bump! :)
4aeb94c
request@2.64.0
: No longer defaulting toapplication/json
forjson
requests. Also some minor doc and packaging patches. (@simov)minimatch@3.0.0
: No longer packaging browser modules. (@isaacs)a18b213
glob@5.0.15
: Upgradedminimatch
dependency. (@isaacs)9eb64d4
nock@2.13.0
(@pgte)
v3.3.6 (2015-09-30):
I have the most exciting news for you this week. YOU HAVE NO IDEA. Well, ok, maybe you do if you follow my twitter.
Performance just got 5 bazillion times better (under some circumstances,
ymmv, etc). So– my test scenario is our very own website. In npm@2
, on my
macbook running npm ls
takes about 5 seconds. Personally it's more than
I'd like, but it's entire workable. In npm@3
it has been taking 50 seconds,
which is appalling. But after doing some work on Monday isolating the performance
issues I've been able to reduce npm@3
's run time back down to 5 seconds.
Other scenarios were even worse, there was one that until now in npm@3
that
took almost 6 minutes, and has been reduced to 14 seconds.
7bc0d4c
cf42217
#8826 Stop using deepclone on super big datastructures. Avoid cloning all-together even when that means mutating things, when possible. Otherwise use a custom written tree-copying function that understands the underlying datastructure well enough to only copy what we absolutely need to. (@iarna)
In other news, look for us this Friday and Saturday at the amazing Open Source and Feelings conference, where something like a third of the company will be attending.
And finally a dependency update
And some subdep updates
cc5e6a0
hoek@2.16.3
(@nlf)912a516
boom@2.9.0
(@arb)63944e9
bluebird@2.10.1
(@petkaantonov)ef16003
mime-types@2.1.7
&mime-db@1.19.0
(@dougwilson)2b8c0dd
request@2.64.0
(@simov)8139124
brace-expansion@1.1.1
(@juliangruber)
v3.3.5 (2015-09-24):
Some of you all may not be aware, but npm is ALSO a company. I tell you this 'cause npm-the-company had an all-staff get together this week, flying in our remote folks from around the world. That was great, but it also basically eliminated normal work on Monday and Tuesday.
Still, we've got a couple of really important bug fixes this week. Plus a lil bit from the now LTS 2.x branch.
ATTENTION WINDOWS USERS
If you previously updated to npm 3 and you try to update again, you may get
an error messaging telling you that npm won't install npm into itself. Until you
are at 3.3.5 or greater, you can get around this with npm install -f -g npm
.
bef06f5
#9741 Uh... so... er... it seems that sincenpm@3.2.0
on Windows with a default configuration, it's been impossible to update npm. Well, that's not actually true, there's a work around (see above), but it shouldn't be complaining in the first place. (@iarna)
STACK OVERFLOWS ON PUBLISH
-
330b496
#9667 We were keeping track of metadata about your project while packing the tree in a way that resulted in this data being written to packed tar files headers. When this metadata included cycles, it resulted in the the tar file entering an infinite recursive loop and eventually crashing with a stack overflow.I've patched this by keeping track of your metadata by closing over the variables in question instead, and I've further restricted gathering and tracking the metadata to times when it's actually needed. (Which is only if you need bundled modules.) (@iarna)
LESS CRASHY ERROR MESSAGES ON BAD PACKAGES
829921f
#9741 Packages with invalid names or versions were crashing the installer. These are now captured and warned as was originally intended. (@iarna)
ONE DEPENDENCY UPDATE
AND ONE SUBDEPENDENCY
v2.14.6 (2015-09-24):
¯\_(ツ)_/¯
Since 2.x
is LTS now, you can expect a slowdown in overall release sizes. On
top of that, we had our all-company-npm-internal-conf thing on Monday and
Tuesday so there wasn't really time to do much at all.
Still, we're bringing you a couple of tiny little changes this week!
7b7da13
#9471 When the port for a tarball is different than the registry it's in, but the hostname is the same, the protocol is now allowed to change, too. (@fastest963)6643ada
request@2.63.0
: Useapplication/json
as the default content type when makingjson
requests. (@simov)
v3.3.4 (2015-09-17):
This is a relatively quiet release, bringing a few bug fixes and some module updates, plus via the 2.14.5 release some forward compatibility fixes with versions of Node that aren't yet released.
NO BETA NOTICE THIS TIME!!
But, EXCITING NEWS FRIENDS, this week marks the exit of npm@3
from beta. This means that the week of this release,
v3.3.3 will
become latest
and this version (v3.3.4) will become next
!!
CRUFT FOR THE CRUFT GODS
What I call "cruft", by which I mean, files sitting around in
your node_modules
folder, will no longer produce warnings in
npm ls
nor during npm install
. This brings npm@3
's behavior
in line with npm@2
.
BETTER ERROR MESSAGE
MODULE UPDATES
ebb92ca
retry@0.8.0
(@tim-kos)55f1285
normalize-package-data@2.3.4
(@zkat)6d4ebff
sha@2.0.1
(@ForbesLindesay)09a9c7a
semver@5.0.3
(@isaacs)745000f
node-gyp@3.0.3
(@rvagg)
SUB DEP MODULE UPDATES
v2.14.5 (2015-09-17):
NPM IS DEAD. LONG LIVE NPM
That's right folks. As of this week, npm@next
is npm@3
, which means it'll be
npm@latest
next week! There's some really great shiny new things over there,
and you should really take a look.
Many kudos to @iarna for her hard work on npm@3
!
Don't worry, we'll keep 2.x
around for a while (as LTS), but you won't see
many, if any, new features on this end. From now on, we're going to use
latest-2
and next-2
as the dist tags for the npm@2
branch.
OKAY THAT'S FINE CAN I DEPRECATE THINGS NOW?
Yes! Specially if you're using scoped packages. Apparently, deprecating them never worked, but that should be better now. :)
eca7b24
#9558 Add tests for npm deprecate. (@zkat)648fe16
#9558npm-registry-client@7.0.7
: Fixesnpm deprecate
so you can actually deprecate scoped modules now (it never worked). (@zkat)
WTF IS node-waf
idk. Some old thing. We don't talk about it anymore.
cf1b39f
#9584 Fix ancient references tonode-waf
in the docs to refer to thenode-gyp
version of things. (@KenanY)
THE graceful-fs
AND node-gyp
SAGA CONTINUES
Last week had some sweeping graceful-fs
upgrades, and this takes care of one
of the stragglers, as well as bumping node-gyp
. node@4
users might be
excited about this, or even node@<4
users who previously had to cherry-pick a
bunch of patches to get the latest npm working.
e07354f
sha@2.0.1
: Upgraded graceful-fs! (@ForbesLindesay)83cb6ee
node-gyp@3.0.3
(@rvagg)
DEPS! DEPS! MORE DEPS! OK STOP DEPS
0d60888
normalize-package-data@2.3.4
: Use an external package to check for built-in node modules. (@sindresorhus)79b4dac
retry@0.8.0
(@tim-kos)c164941
request@2.62.0
: node 4 added to build targets. Option initialization issues fixed. (@simov)0fd878a
lru-cache@2.7.0
: Cache serialization support and fixes a cache length bug. (@isaacs)6a7a114
nock@2.12.0
(@pgte)6b25e6d
semver@5.0.3
: Removed uglify-js dead code. (@isaacs)
v3.3.3 (2015-09-10):
This short week brought us brings us a few small bug fixes, a doc change and a whole lotta dependency updates.
Plus, as usual, this includes a forward port of everything in
npm@2.14.4
.
BETA BUT NOT FOREVER
THIS IS BETA SOFTWARE. npm@3
will remain in beta until
we're confident that it's stable and have assessed the effect of
the breaking changes on the community. During that time we will
still be doing npm@2
releases, with npm@2
tagged as latest
and next
. We'll also be publishing new releases of npm@3
as npm@v3.x-next
and npm@v3.x-latest
alongside those
versions until we're ready to switch everyone over to npm@3
.
We need your help to find and fix its remaining bugs. It's a
significant rewrite, so we are sure there still significant
bugs remaining. So do us a solid and deploy it in non-critical
CI environments and for day-to-day use, but maybe don't use it
for production maintenance or frontline continuous deployment
just yet.
REMOVE INSTALLED BINARIES ON WINDOWS
So waaaay back at the start of August, I fixed a bug with
#9198. That fix made it
so that if you had two modules installed that both installed the
same binary (eg gulp
& gulp-cli
), that removing one wouldn't
remove the binary if it was owned by the other.
It did this by doing some hocus-pocus that, turns out, was Unix-specific, so on Windows it just threw up its hands and stopped removing installed binaries at all. Not great.
So today we're fixing that– it let us maintain the same safety that we added in #9198, but ALSO works with windows.
API DOCUMENTATION HAS BEEN SACRIFICED THE API GOD
The documentation of the internal APIs of npm is going away,
because it would lead people into thinking they should integrate
with npm by using it. Please don't do that! In the future, we'd
like to give you a suite of stand alone modules that provide
better, more stand alone APIs for your applications to build on.
But for now, call the npm binary with process.exec
or
process.spawn
instead.
ALLOW npm link
ON WINDOWS W/ PRERELEASE VERSIONS OF NODE
We never meant to have this be a restriction in the first place and it was only just discovered with the recent node 4.0.0 release candidate.
graceful-fs update
We're updating all of npm's deps to use the most recent
graceful-fs
. This turns out to be important for future not yet
released versions of node, because older versions monkey-patch
fs
in ways that will break in the future. Plus it ALSO makes
use of process.binding
which is an internal API that npm
definitely shouldn't have been using. We're not done yet, but
this is the bulk of them.
e7bc98e
write-file-atomic@1.1.3
(@iarna)7417600
tar@2.2.1
(@zkat)e4e9d40
read-package-json@2.0.1
(@zkat)481611d
read-installed@4.0.3
(@zkat)0dabbda
npm-registry-client@7.0.4
(@zkat)c075a91
fstream@1.0.8
(@zkat)2e4341a
fs-write-stream-atomic@1.0.4
(@zkat)18ad16e
fs-vacuum@1.2.7
(@zkat)
DEPENDENCY UPDATES
9d6666b
node-gyp@3.0.1
(@rvagg)349c4df
retry@0.7.0
(@tim-kos)f507551
which@1.1.2
(@isaacs)e5b6743
nopt@3.0.4
(@zkat)
THE DEPENDENCIES OF OUR DEPENDENCIES ARE OUR DEPENDENCIES UPDATES
316382d
mime-types@2.1.6
&mime-db@1.18.0
64b741e
spdx-correct@1.0.1
fff62ac
process-nextick-args@1.0.3
9d6488c
cryptiles@2.0.5
1912012
bluebird@2.10.0
4d09402
readdir-scoped-modules@1.0.2
v2.14.4 (2015-09-10):
THE GREAT NODEv4 SAGA
So Node 4 is out now and that's
going to involve a number of things over in npm land. Most importantly, it's the
last major release that will include the 2.x
branch of npm. That also means
that 2.x
is going to go into LTS mode in the coming weeks -- once npm@3
becomes our official latest
release. You can most likely expect Node 5 to
include npm@3
by default, whenever that happens. We'll go into more detail
about LTS at that point, as well, so keep your eyes peeled for announcements!
NODE IS DEAD. LONG LIVE NODE!
Node 4 being released means that a few things that used to be floating patches are finally making it right into npm proper. This week, we've got two such updates, both to dependencies:
505d9e4
node-gyp@3.0.1
: Support for node nightlies and compilation for both node and io.js without extra patching (@rvagg)
@thefourtheye was kind enough to submit a
bunch of PRs to npm's dependencies updating them to graceful-fs@4.1.2
, which
mainly makes it so we're no longer monkey-patching fs
. The following are all
updates related to this:
10cb189
write-file-atomic@1.1.3
(@thefourtheye)edfb80b
tar@2.2.1
(@thefourtheye)aa6e1ee
read-package-json@2.0.1
(@thefourtheye)18971a3
read-installed@4.0.3
(@thefourtheye)a4cba71
fstream@1.0.8
(@thefourtheye)70a38e2
fs-write-stream-atomic@1.0.4
(@thefourtheye)9cbd20f
fs-vacuum@1.2.7
(@thefourtheye)
OTHER PATCHES
c4dd521
#9506 Makenpm link
work on Windows when using node pre-release/RC releases. (@jon-hall)b6bc29c
#9544process.binding
is being deprecated, so our only direct usage has been removed. (@ChALkeR)
MORE DEPENDENCIES!
d940594
tap@1.4.1
(@isaacs)ee38486
which@1.1.2
: Added tests for Windows-related dead code that was previously helping a silent failure happen. Travis stuff, too. (@isaacs)
DOC UPDATES
475daf5
#9492 Clarify how.npmignore
and.gitignore
are found and used by npm. (@addaleax)b2c391d
nopt@3.0.4
: Minor clarifications to docs about how array and errors work. (@zkat)
v3.3.2 (2015-09-04):
PLEASE HOLD FOR THE NEXT AVAILABLE MAINTAINER
This is a tiny little maintenance release, both to update dependencies and to
keep npm@3
up to date with changes made to npm@2
.
@othiym23 is putting out this release (again) as
his esteemed colleague @iarna finishes relocating
herself, her family, and her sizable anime collection all the way across North
America. It contains all the goodies in
npm@2.14.3
and one other
dependency update.
BETA WARNINGS FOR FUN AND PROFIT
THIS IS BETA SOFTWARE. npm@3
will remain in beta until we're
confident that it's stable and have assessed the effect of the breaking
changes on the community. During that time we will still be doing npm@2
releases, with npm@2
tagged as latest
and next
. We'll also be
publishing new releases of npm@3
as npm@v3.x-next
and npm@v3.x-latest
alongside those versions until we're ready to switch everyone over to
npm@3
. We need your help to find and fix its remaining bugs. It's a
significant rewrite, so we are sure there still significant bugs
remaining. So do us a solid and deploy it in non-critical CI environments
and for day-to-day use, but maybe don't use it for production maintenance or
frontline continuous deployment just yet.
That said, it's getting there! It will be leaving beta very soon!
ONE OTHER DEPENDENCY UPDATE
bb5de34
is-my-json-valid@2.12.2
: Upgrade to a new, modernized version ofjson-pointer
. (@mafintosh)
v2.14.3 (2015-09-03):
TEAMS AND ORGS STILL BETA. CLI CODE STILL SOLID.
Our closed beta for Teens and Orcs is happening! The web team is hard at work making sure everything looks pretty and usable and such. Once we fix things stemming from that beta, you can expect the feature to be available publicly. Some time after that, it'll even be available for free for FOSS orgs. It'll Be Done When It's Done™.
OH GOOD, I CAN ACTUALLY UPSTREAM NOW
Looks like last week's release foiled our own test suite when trying to upstream
it to Node! Just a friendly reminder that no, .npmrc
is no longer included
then you pack/release a package! @othiym23 and
@isaacs managed to suss the really strange test
failures resulting from that, and we've patched it in this release.
01a3428
#9476 test: Recreate missing.npmrc
files when missing so downstream packagers can run tests on packed npm. (@othiym23)
TALKING ABOUT THE CHANGELOG IN THE CHANGELOG IS LIKE, POMO OR SOMETHING
devDependencies UPDATED
No actual dep updates this week, but we're bumping a couple of devDeps:
8454835
tap@1.4.0
: Addt.contains()
as alias tot.match()
(@isaacs)13d2216
deep-equal@1.0.1
: Makenull == undefined
in non-strict mode (@isaacs)
v3.3.1 (2015-08-27):
Hi all, this npm@3
update brings you another round of bug fixes. The
headliner here is that npm update
works again. We're running down the
clock on blocker 3.x issues! Shortly after that hits zero we'll be
promoting 3.x to latest!!
And of course, we have changes that were brought forward from 2.x. Check out the release notes for 2.14.1 and 2.14.2.
BETA WARNINGS FOR FUN AND PROFIT
THIS IS BETA SOFTWARE. npm@3
will remain in beta until we're
confident that it's stable and have assessed the effect of the breaking
changes on the community. During that time we will still be doing npm@2
releases, with npm@2
tagged as latest
and next
. We'll also be
publishing new releases of npm@3
as npm@v3.x-next
and npm@v3.x-latest
alongside those versions until we're ready to switch everyone over to
npm@3
. We need your help to find and fix its remaining bugs. It's a
significant rewrite, so we are sure there still significant bugs
remaining. So do us a solid and deploy it in non-critical CI environments
and for day-to-day use, but maybe don't use it for production maintenance or
frontline continuous deployment just yet.
NPM UPDATE, NOW AGAIN YOUR FRIEND
f130a00
#9095npm update
once again works! Previously, after selecting packages to update, it would then pick the wrong location to run the install from. (@iarna)
MORE VERBOSING FOR YOUR VERBOSE LIFECYCLES
d088b7d
#9227 Add some additional logging at the verbose and silly levels when running lifecycle scripts. Hopefully this will make debugging issues with them a bit easier! (@saper)
AND SOME OTHER BUG FIXES…
-
f4a5784
#9308 Make fetching metadata for local modules faster! This ALSO means that doing things like runningnpm repo
won't build your module and maybe runprepublish
. (@iarna) -
4468c92
#9205 Fix a bug where local modules would sometimes not resolve relative links using the correct base path. (@iarna) -
d395a6b
#8995 Certain combinations of packages could result in different install orders for their initial installation than for reinstalls run on the same folder. (@iarna) -
d119ea6
#9113 Make extraneous packages always up innpm ls
. Previously, if an extraneous package had a dependency that depended back on the original package this would result in the package not showing up inls
. (@iarna) -
02420dc
#9113 Stop warning about missing top level package.json files. Errors in said files will still be reported. (@iarna)
SOME DEP UPDATES
1ed1364
rimraf@2.4.3
(@isaacs) Added EPERM to delay/retry loope7b8315
read@1.0.7
Smaller distribution package, better metadata (@isaacs)
SOME DEPS OF DEPS UPDATES
b273bcc
mime-types@2.1.5
df6e225
mime-db@1.17.0
785f2ad
is-my-json-valid@2.12.1
88170dd
form-data@1.0.0-rc3
af5357b
request@2.61.0
337f96a
chalk@1.1.1
3dfd74d
async@1.4.2
v2.14.2 (2015-08-27):
GETTING THAT PESKY preferGlobal
WARNING RIGHT
So apparently the preferGlobal
option hasn't quite been warning correctly for
some time. But now it should be all better! tl;dr: if you try and install a
dependency with preferGlobal: true
, and it's not already in your
package.json
, you'll get a warning that the author would really rather you
install it with --global
. This should prevent Windows PowerShell from thinking
npm has failed just because of a benign warning.
bbb25f3
#8841 #9409 ThepreferGlobal
warning shouldn't happen if the dependency being installed is listed indevDependencies
. (@saper)222fcec
#9409preferGlobal
now prints a warning when there are no dependencies for the current package. (@zkat)5cfed6d
#9409 Verify thatpreferGlobal
is warning as expected (when apreferGlobal
dependency is installed, but isn't listed in eitherdependencies
ordevDependencies
). (@zkat)
BUMP +1
eeafce2
validate-npm-package-license@3.0.1
: Include additional metadata in parsed license object, useful for license checkers. (@kemitchell)1502a28
normalise-package-data@2.3.2
: Updated to usevalidate-npm-package-license@3.0.1
. (@othiym23)cbde823
init-package-json@1.9.1
: Add asilent
option to suppress output on writing the generatedpackage.json
. Also, updated to usevalidate-npm-package-license@3.0.1
. (@zkat)08fda46
tar@2.2.0
: Minor improvements. (@othiym23)dc2f20b
rimraf@2.4.3
:EPERM
now triggers a delay / retry loop (since Windows throws this when things still hold a handle). (@isaacs)e8acb27
read@1.0.7
: Fix licensing ambiguity. (@isaacs)
OTHER STUFF THAT'S RELEVANT
73a1ee0
#9386 Include additional unignorable files in documentation. (@mjhasbach)0313e40
#9396 Improve theEISDIR
error message returned by npm's error-handling code to give users a better hint of what's most likely going on. Usually, error reports with this error code are about people trying to install things without apackage.json
. (@KenanY)2677457
#9360 Make it easier to run only some of npm tests with lifecycle scripts vianpm tap test/tap/testname.js
. (@iarna)
v2.14.1 (2015-08-20):
SECURITY FIX
There are patches for two information leaks of moderate severity in npm@2.14.1
:
- In some cases, npm was leaking sensitive credential information into the
child environment when running package and lifecycle scripts. This could
lead to packages being published with files (most notably
config.gypi
, a file created bynode-gyp
that is a cache of environmental information regenerated on every run) containing the bearer tokens used to authenticate users to the registry. Users with affected packages have been notified (and the affected tokens invalidated), and now npm has been modified to not upload files that could contain this information, as well as scrubbing the sensitive information out of the environment passed to child scripts. - Per-package
.npmrc
files are used by some maintainers as a way to scope those packages to a specific registry and its credentials. This is a reasonable use case, but by default.npmrc
was packed into packages, leaking those credentials. npm will no longer include.npmrc
when packing tarballs.
If you maintain packages and believe you may be affected by either
of the above scenarios (especially if you've received a security
notification from npm recently), please upgrade to npm@2.14.1
as
soon as possible. If you believe you may have inadvertently leaked
your credentials, upgrade to npm@2.14.1
on the affected machine,
and run npm logout
and then npm login
. Your access tokens will be
invalidated, which will eliminate any risk posed by tokens inadvertently
included in published packages. We apologize for the inconvenience this
causes, as well as the oversight that led to the existence of this issue
in the first place.
Huge thanks to @ChALkeR for bringing these issues to our attention, and for helping us identify affected packages and maintainers. Thanks also to the Node.js security working group for their coördination with the team in our response to this issue. We appreciate everybody's patience and understanding tremendously.
b9474a8
fstream-npm@1.0.5
: Stop publishing build cruft (config.gypi
) and per-project.npmrc
files to keep local configuration out of published packages. (@othiym23)13c286d
#9348 Filter "private" (underscore-prefixed, even when scoped to a registry) configuration values out of child environments. (@othiym23)
BETTER WINDOWS INTEGRATION, ONE STEP AT A TIME
e40e71f
#6412 Improve the search strategy used by the npm shims for Windows to prioritize your own local npm installs. npm has really needed this tweak for a long time, so hammer on it and let us know if you run into issues, but with luck it will Just Work. (@joaocgreis)204ebbb
#8751 #7333 Keep autorun scripts from interfering with npm package and lifecycle script execution on Windows by adding/d
and/s
when invokingcmd.exe
. (@saper)
IT SEEMED LIKE AN IDEA AT THE TIME
286f3d9
#9201 For a while npm was building HTML partials for use ondocs.npmjs.com
, but we weren't actually using them. Stop building them, which makes running the full test suite and installation process around a third faster. (@isaacs)
A SINGLE LONELY DEPENDENCY UPGRADE
v3.3.0 (2015-08-13):
This is a pretty EXCITING week. But I may be a little excitable– or possibly sleep deprived, it's sometimes hard to tell them apart. =D So Kat really went the extra mile this week and got the client side support for teams and orgs out in this week's 2.x release. You can't use that just yet, 'cause we have to turn on some server side stuff too, but this way it'll be there for you all the moment we do! Check out the details over in the 2.14.0 release notes!
But we over here in 3.x ALSO got a new feature this week, check out the new
--only
and --also
flags for better control over when dev and production
dependencies are used by various npm commands.
That, and some important bug fixes round out this week. Enjoy everyone!
NEVER SHALL NOT BETA THE BETA
THIS IS BETA SOFTWARE. EXCITING NEW BETA WARNING!!! Ok, I fibbed,
EXACTLY THE SAME BETA WARNINGS: npm@3
will remain in beta until we're
confident that it's stable and have assessed the effect of the breaking
changes on the community. During that time we will still be doing npm@2
releases, with npm@2
tagged as latest
and next
. We'll also be
publishing new releases of npm@3
as npm@v3.x-next
and npm@v3.x-latest
alongside those versions until we're ready to switch everyone over to
npm@3
. We need your help to find and fix its remaining bugs. It's a
significant rewrite, so we are sure there still significant bugs
remaining. So do us a solid and deploy it in non-critical CI environments
and for day-to-day use, but maybe don't use it for production maintenance or
frontline continuous deployment just yet.
ONLY ALSO DEV
Hey we've got a SUPER cool new feature for you all, thanks to the fantastic
work of @davglass and
@bengl we have --only=prod
,
--only=dev
, --also=prod
and --also=dev
options. These apply in
various ways to: npm install
, npm ls
, npm outdated
and npm update
.
So for instance:
npm install --only=dev
Only installs dev dependencies. By contrast:
npm install --only=prod
Will only install prod dependencies and is very similar to --production
but differs in that it doesn't set the environment variables that
--production
does.
The related new flag, --also
is most useful with things like:
npm shrinkwrap --also=dev
As shrinkwraps don't include dev deps by default. This replaces passing in
--dev
in that scenario.
And that leads into the fact that this deprecates --dev
as its semantics
across commands were inconsistent and confusing.
DON'T TOUCH! THAT'S NOT YOUR BIN
b31812e
#8996 When removing a module that has bin files, if one that we're going to remove is a symlink to a DIFFERENT module, leave it alone. This only happens when you have two modules that try to provide the same bin. (@iarna)
THERE'S AN END IN SIGHT
d2178a9
#9223 Close a bunch of infinite loops that could show up with symlink cycles in your dependencies. (@iarna)
OOPS DIDN'T MEAN TO FIX THAT
Well, not just yet. This was scheduled for next week, but it snuck into 2.x this week.
139dd92
#8716npm init
will now only pick up the modules you install, not everything else that got flattened with them. (@iarna)
v2.14.0 (2015-08-13):
IT'S HERE! KINDA!
This release adds support for teens and orcs (err, teams and organizations) to the npm CLI! Note that the web site and registry-side features of this are still not ready for public consumption.
A beta should be starting in the next couple of weeks, and the features themselves will become public once all that's done. Keep an eye out for more news!
All of these changes were done under #9011
:
6424170
Added newnpm team
command and subcommands. (@zkat)52220d1
Added documentation for newnpm team
command. (@zkat)4e66830
Updatednpm access
to support teams and organizations. (@zkat)ea3eb87
Gussied up docs fornpm access
with new commands. (@zkat)6e0b431
Fix upnpm whoami
to make the underlying API usable elsewhere. (@zkat)f29c931
npm-registry-client@7.0.1
: Upgradenpm-registry-client
API to supportteam
andaccess
calls against the registry. (@zkat)
A FEW EXTRA VERSION BUMPS
c977e12
init-package-json@1.8.0
: Checks for somenpm@3
metadata. (@iarna)5c8c9e5
columnify@1.5.2
: Updated some dependencies. (@timoxley)5d56742
chownr@1.0.1
: Tests, docs, and minor style nits. (@isaacs)
ALSO A DOC FIX
v3.2.2 (2015-08-08):
Lot's of lovely bug fixes for npm@3
. I'm also suuuuper excited that I
think we have a handle on stack explosions that effect a small portion of
our users. We also have some tantalizing clues as to where some low hanging
fruit may be for performance issues.
And of course, in addition to the npm@3
specific bug fixes, there are some
great one's coming in from npm@2
! @othiym23
put together that release this week– check out its
release notes for the deets.
AS ALWAYS STILL BETA
THIS IS BETA SOFTWARE. Just like the airline safety announcements,
we're not taking this plane off till we finish telling you: npm@3
will
remain in beta until we're confident that it's stable and have assessed the
effect of the breaking changes on the community. During that time we will
still be doing npm@2
releases, with npm@2
tagged as latest
and next
.
We'll also be publishing new releases of npm@3
as npm@v3.x-next
and
npm@v3.x-latest
alongside those versions until we're ready to switch
everyone over to npm@3
. We need your help to find and fix its remaining
bugs. It's a significant rewrite, so we are sure there still significant
bugs remaining. So do us a solid and deploy it in non-critical CI
environments and for day-to-day use, but maybe don't use it for production
maintenance or frontline continuous deployment just yet.
BUG FIXES
a8c8a13
#9050 Resolve peer deps relative to the parent of the requirer (@iarna)05f0226
#9077 Fix crash when savinggit+ssh
urls (@iarna)e4a3808
#8951 Extend our patch to allow*
to match something when a package only has prerelease versions to everything and not just the cache. (@iarna)d135abf
#8871 Don't warn about a missingpackage.json
or missing fields in the global install directory. (@iarna)
DEP VERSION BUMPS
990ee4f
path-is-inside@1.0.1
(@domenic)1f71ec0
lodash.clonedeep@3.0.2
(@jdalton)a091354
marked@0.3.5
(@chjj)fc51f28
tap@1.3.2
(@isaacs)3569ec0
nock@2.10.0
(@pgte)ad5f6fd
npm-registry-mock@1.0.1
(@isaacs)
v2.13.5 (2015-08-07):
This is another quiet week for the npm@2
release.
@zkat has been working hard on polishing the CLI
bits of the registry's new feature to support direct management of teams and
organizations, and @iarna continues to work through
the list of issues blocking the general release of npm@3
, which is looking
more and more solid all the time.
@othiym23 and @zkat have also been at this week's Node.js / io.js collaborator summit, both as facilitators and participants. This is a valuable opportunity to get some face time with other contributors and to work through a bunch of important discussions, but it does leave us feeling kind of sleepy. Running meetings is hard!
What does that leave for this release? A few of the more tricky bug fixes that have been sitting around for a little while now, and a couple dependency upgrades. Nothing too fancy, but most of these were contributed by developers like you, which we think is swell. Thanks!
BUG FIXES
d7271b8
#4530 The bash completion script for npm no longer alters global completion behavior around word breaks. (@whitty)c9ce294
#7198 When setting up dependencies to be shared vianpm link <package>
, only run the lifecycle scripts during the original link, not when runningnpm link <package>
ornpm install --link
against them. (@murgatroid99)422da66
#9108 Clear up minor confusion around wording inbundledDependencies
section ofpackage.json
docs. (@derekpeterson)6b42d99
#9146 Include scripts that run forpreversion
,version
, andpostversion
in the section for lifecycle scripts rather than the genericnpm run-script
output. (@othiym23)
NOPE, NOT DONE WITH DEPENDENCY UPDATES
91a48bb
chmodr@1.0.1
: Ignore symbolic links when recursively changing mode, just like the Unix command. (@isaacs)4bbc86e
nock@2.10.0
(@pgte)
v3.2.1 (2015-07-31):
AN EXTRA QUIET RELEASE
A bunch of stuff got deferred for various reasons, which just means more branches to land next week!
Don't forget to check out Kat's 2.x release for other quiet goodies.
AS ALWAYS STILL BETA
THIS IS BETA SOFTWARE. Yes, we're still reminding you of this. No,
you can't be excused. npm@3
will remain in beta until we're confident
that it's stable and have assessed the effect of the breaking changes on the
community. During that time we will still be doing npm@2
releases, with
npm@2
tagged as latest
and next
. We'll also be publishing new
releases of npm@3
as npm@v3.x-next
and npm@v3.x-latest
alongside those
versions until we're ready to switch everyone over to npm@3
. We need your
help to find and fix its remaining bugs. It's a significant rewrite, so we
are sure there still significant bugs remaining. So do us a solid and
deploy it in non-critical CI environments and for day-to-day use, but maybe
don't use it for production maintenance or frontline continuous deployment
just yet.
MAKING OUR TESTS TEST THE THING THEY TEST
6e53c3d
#8985 Many thanks to @bengl for noticing that one of our tests wasn't testing what it claimed it was testing! (@bengl)
MY PACKAGE.JSON WAS ALREADY IN THE RIGHT ORDER
eb2c7aa
#9068 Stop sorting keys in thepackage.json
that we haven't edited. Many thanks to @Qix- for bringing this up and providing a first pass at a patch for this. (@iarna)
DEV DEP UPDATE
555f60c
marked@0.3.4
v2.13.4 (2015-07-30):
JULY ENDS ON A FAIRLY QUIET NOTE
Hey everyone! I hope you've had a great week. We're having a fairly small release this week while we wrap up Teams and Orgs (or, as we've taken to calling it internally, Teens and Orcs).
In other exciting news, a bunch of us are gonna be at the Node.js Collaborator Summit, and you can also find us at wafflejs on Wednesday. Hopefully we'll be seeing some of you there. :)
THE PATCH!!!
So here it is. The patch. Hope it helps. (Thanks, @ktarplee!)
OH AND THERE'S A DEV DEPENDENCIES UPDATE
Hooray.
v3.2.0 (2015-07-24):
MORE CONFIG, BETTER WINDOWS AND A BUG FIX
This is a smallish release with a new config option and some bug fixes. And lots of module updates.
BETA BETAS ON
THIS IS BETA SOFTWARE. Yes, we're still reminding you of this. No,
you can't be excused. npm@3
will remain in beta until we're confident
that it's stable and have assessed the effect of the breaking changes on the
community. During that time we will still be doing npm@2
releases, with
npm@2
tagged as latest
and next
. We'll also be publishing new
releases of npm@3
as npm@v3.x-next
and npm@v3.x-latest
alongside those
versions until we're ready to switch everyone over to npm@3
. We need your
help to find and fix its remaining bugs. It's a significant rewrite, so we
are sure there still significant bugs remaining. So do us a solid and
deploy it in non-critical CI environments and for day-to-day use, but maybe
don't use it for production maintenance or frontline continuous deployment
just yet.
NEW CONFIGS, LESS PROGRESS
AND BUG FIXES
-
b3ee452
#9038 We previously disabled the use of the newfs.access
API on Windows, but the bug we were seeing is fixed inio.js@1.5.0
so we now usefs.access
if you're using that version or greater. (@iarna) -
b181fa3
#8921 #8637 Rejigger how we validate modules for install. This allow is to fix a problem where arch/os checking wasn't being done at all. It also made it easy to add back in a check that declines to install a module in itself unless you force it. (@iarna)
AND A WHOLE BUNCH OF SUBDEP VERSIONS
These are all development dependencies and semver-compatible subdep upgrades, so they should not have visible impact on users.
6b3f6d9
standard@4.3.3
f4e22e5
readable-stream@2.0.2
(inside concat-stream)f130bfc
minimatch@2.0.10
(inside node-gyp's copy of glob)36c6a0d
caseless@0.11.0
80df59c
chalk@1.1.0
ea935d9
bluebird@2.9.34
3588a0c
extend@3.0.0
c6a8450
form-data@1.0.0-rc2
a04925b
har-validator@1.8.0
ee7c095
has-ansi@2.0.0
944fc34
hawk@3.1.0
783dc7b
lodash._basecallback@3.3.1
acef0fe
lodash._baseclone@3.3.0
dfe959a
lodash._basedifference@3.0.3
a03bc76
lodash._baseflatten@3.1.4
8a07d50
lodash._basetostring@3.0.1
7785e3f
lodash._baseuniq@3.0.3
826fb35
lodash._createcache@3.1.2
76030b3
lodash._createpadding@3.6.1
1a49ec6
lodash._getnative@3.9.1
eebe47f
lodash.isarguments@3.0.4
09994d4
lodash.isarray@3.0.4
b6f8dbf
lodash.keys@3.1.2
c67dd6b
lodash.pad@3.1.1
4add042
lodash.repeat@3.0.1
e04993c
lru-cache@2.6.5
2ed7da4
mime-db@1.15.0
ae08244
mime-types@2.1.3
e71410e
os-homedir@1.0.1
67c13e0
process-nextick-args@1.0.2
12ee041
qs@4.0.0
15564a6
spdx-license-ids@1.0.2
8733bff
supports-color@2.0.0
230943c
tunnel-agent@0.4.1
26a4653
ansi-styles@2.1.0
3d27081
bl@1.0.0
9efa110
async@1.4.0
MERGED FORWARD
- As usual, we've ported all the
npm@2
goodies in this week's v2.13.3 release.
v2.13.3 (2015-07-23):
I'M SAVING THE GOOD JOKES FOR MORE INTERESTING RELEASES
It's pretty hard to outdo last week's release buuuuut~ I promise I'll have a treat when we release our shiny new Teams and Organizations feature! :D (Coming Soon™). It'll be a real gem.
That means it's a pretty low-key release this week. We got some nice documentation tweaks, a few bugfixes, and other such things, though!
Oh, and a bunch of version bumps. Thanks, semver
!
IT'S THE LITTLE THINGS THAT MATTER
2fac6ae
#9012 A convenience for releases -- using the globally-installed npm before now was causing minor annoyances, so we just use the exact same npm we're releasing to build the new release. (@zkat)
WHAT DOES THIS BUTTON DO?
There's a couple of doc updates! The last one might be interesting.
4cd3205
#9002 Updated docs to list the various files that npm automatically includes and excludes, regardless of settings. (@SimenB)cf09e75
#9022 Document the"access"
field in"publishConfig"
. Did you know you don't need to use--access=public
when publishing scoped packages?! Just put it in yourpackage.json
! Go refresh yourself on scopes packages by checking our docs on them. (@boennemann)bfd73da
#9013 fixed typo in changelog (@radarhere)
THE SEMVER MAJOR VERSION APOCALYPSE IS UPON US
Basically, semver
is up to @5
, and that meant we needed to go in an update a
bunch of our dependencies manually. node-gyp
is still pending update, since
it's not ours, though!
9232e58
#8972init-package-json@1.7.1
(@othiym23)ba44f6b
#8972normalize-package-data@2.3.1
(@othiym23)3901d3c
#8972npm-install-checks@1.0.6
(@othiym23)ffcc7dd
#8972npm-package-arg@4.0.2
(@othiym23)7128f9e
#8972npm-registry-client@6.5.1
(@othiym23)af28911
#8972read-installed@4.0.2
(@othiym23)3cc817a
#8972 node-gyp needs its own version of semver (@othiym23)f98eccc
#8972semver@5.0.1
: Stop including browser builds. (@isaacs)
*BUMP*
And some other version bumps for good measure.
254ecfb
#8990marked-man@0.1.5
: Fixes an issue with documentation rendering where backticks in 2nd-level headers would break rendering (?!?!) (@steveklabnik)79efd79
minimatch@2.0.10
: A pattern like'*.!(x).!(y)'
should not match a name like'a.xyz.yab'
. (@isaacs)39c7dc9
request@2.60.0
: A few bug fixes and doc updates. (@simov)72d3c3a
rimraf@2.4.2
: Minor doc and dep updates (@isaacs)7513035
nock@2.9.1
(@pgte)3d9aa82
Fixes this thing where Kat decided to savenock
as a regular dependency ;) (@othiym23)
v3.1.3 (2015-07-17):
Rebecca: So Kat, I hear this week's other release uses a dialog between us to explain what changed?
Kat: Well, you could say that…
Rebecca: I would! This week I fixed more npm@3
bugs!
Kat: That sounds familiar.
Rebecca: Eheheheh, well, before we look at those, a word from our sponsor…
BETA IS AS BETA DOES
THIS IS BETA SOFTWARE. Yes, we're still reminding you of this. No,
you can't be excused. npm@3
will remain in beta until we're confident
that it's stable and have assessed the effect of the breaking changes on the
community. During that time we will still be doing npm@2
releases, with
npm@2
tagged as latest
and next
. We'll also be publishing new
releases of npm@3
as npm@v3.x-next
and npm@v3.x-latest
alongside those
versions until we're ready to switch everyone over to npm@3
. We need your
help to find and fix its remaining bugs. It's a significant rewrite, so we
are sure there still significant bugs remaining. So do us a solid and
deploy it in non-critical CI environments and for day-to-day use, but maybe
don't use it for production maintenance or frontline continuous deployment
just yet.
Rebecca: Ok, enough of the dialoguing, that's Kat's schtick. But do remember kids, betas hide in dark hallways waiting to break your stuff, stuff like…
SO MANY LINKS YOU COULD MAKE A CHAIN
-
6d69ec9
#8967 Removing a module linked into your globals would result in having all of its subdeps removed. Since the npm release process does exactly this, it burned me -every- -single- -week-. =D While we're here, we also removed extraneous warns that used to spill out when you'd remove a symlink. (@iarna) -
fdb360f
#8874 Linking scoped modules was failing outright, but this fixes that and updates our tests so we don't do it again. (@iarna)
WE'LL TRY NOT TO CRACK YOUR WINDOWS
9fafb18
#8701npm@3
introduced permissions checks that run before it actually tries to do something. This saves you from having an install fail half way through. We did this using the shiny newfs.access
function available innode 0.12
andio.js
, with fallback options for older nodes. Unfortunately the way we implemented the fallback caused racey problems for Windows systems. This fixes that by ensuring we only ever run any one check on a directory once. BUT it turns out there are bugs infs.access
on Windows. So this ALSO just disables the use offs.access
on Windows entirely until that settles out. (@iarna)
ZOOM ZOOM, DEP UPDATES
MERGED FORWARD
- Check out Kat's super-fresh release notes for v2.13.2
and see all the changes we ported from
npm@2
.
v2.13.2 (2015-07-16):
HOLD ON TO YOUR TENTACLES... IT'S NPM RELEASE TIME!
Kat: Hooray! Full team again, and we've got a pretty small patch release this week, about everyone's favorite recurring issue: git URLs!
Rebecca: No Way! Again?
Kat: The ride never ends! In the meantime, there's some fun, exciting work in the background to get orgs and teams out the door. Keep an eye out for news. :)
Rebecca: And make sure to keep an eye out for patches for the super-fresh
npm@3
!
LET'S GIT INKY
Rebecca: So what's this about another git URL issue?
Kat: Welp, I apparently broke backwards-compatibility on what are actually
invalid git+https
URLs! So I'm making it work, but we're gonna deprecate URLs
that look like git+https://user@host:path/is/here
.
Rebecca: What should we use instead?!
Kat: Just do me a solid and use git+ssh://user@host:path/here
or
git+https://user@host/absolute/https/path
instead!
769f06e
Updated tests forgetResolved
so the URLs are run throughnormalize-git-url
. (@zkat)edbae68
#8881 Added tests to verify thatgit+https:
URLs are handled compatibly. (@zkat)
NEWS FLASH! DOCUMENTATION IMPROVEMENTS!
bad4e014
#8924 Make sure documented default values inlib/cache.js
properly correspond to current code. (@watilde)e7a11fd
#8036 Clarify the documentation for.npmrc
to clarify that it's not read at the project level when doing global installs. (@espadrine)
STAY FRESH~
Kat: That's it for npm core changes!
Rebecca: Great! Let's look at the fresh new dependencies, then!
Kat: See you all next week!
Both: Stay Freeesh~
(some cat form of Forrest can be seen snoring in the corner)
bfa1f45
normalize-git-url@3.0.1
: Fixes url normalization such thatgit+https:
accepts scp syntax, but get converted into absolute-pathhttps:
URLs. Also fixes scp syntax so you can have absolute paths after the:
(git@myhost.org:/some/absolute/place.git
) (@zkat)6f757d2
glob@5.0.15
: Better handling of ENOTSUP (@isaacs)0920819
node-gyp@2.0.2
: Fixes an issue with long paths on Win32 (@TooTallNate)
v3.1.2
SO VERY BETA RELEASE
So, v3.1.1
managed to actually break installing local modules. And then
immediately after I drove to an island for the weekend. 😁 So let's get
this fixed outside the usual release train!
Fortunately it didn't break installing global modules and so you could swap it out for another version at least.
DISCLAIMER MEANS WHAT IT SAYS
THIS IS BETA SOFTWARE. Yes, we're still reminding you of this. No,
you can't be excused. npm@3
will remain in beta until we're confident
that it's stable and have assessed the effect of the breaking changes on the
community. During that time we will still be doing npm@2
releases, with
npm@2
tagged as latest
and next
. We'll also be publishing new
releases of npm@3
as npm@v3.x-next
and npm@v3.x-latest
alongside those
versions until we're ready to switch everyone over to npm@3
. We need your
help to find and fix its remaining bugs. It's a significant rewrite, so we
are sure there still significant bugs remaining. So do us a solid and
deploy it in non-critical CI environments and for day-to-day use, but maybe
don't use it for production maintenance or frontline continuous deployment
just yet.
THIS IS IT, THE REASON
v3.1.1
RED EYE RELEASE
Rebecca's up too late writing tests, so you can have npm@3
bug fixes! Lots
of great new issues from you all! ❤️️ Keep it up!
YUP STILL BETA, PLEASE PAY ATTENTION
THIS IS BETA SOFTWARE. Yes, we're still reminding you of this. No,
you can't be excused. npm@3
will remain in beta until we're confident
that it's stable and have assessed the effect of the breaking changes on the
community. During that time we will still be doing npm@2
releases, with
npm@2
tagged as latest
and next
. We'll also be publishing new
releases of npm@3
as npm@v3.x-next
and npm@v3.x-latest
alongside those
versions until we're ready to switch everyone over to npm@3
. We need your
help to find and fix its remaining bugs. It's a significant rewrite, so we
are sure there still significant bugs remaining. So do us a solid and
deploy it in non-critical CI environments and for day-to-day use, but maybe
don't use it for production maintenance or frontline continuous deployment
just yet.
BOOGS
9badfd6
#8608 Make global installs and uninstalls MUCH faster by only reading the directories of modules referred to by arguments. (@iarna075a5f0
#8660 Failed optional deps would still result in the optional deps own dependencies being installed. We now find them and fail them out of the tree. (@iarnac9fbbb5
#8863 The "no compatible version found" error message was including only the version requested, not the name of the package we wanted. Ooops! (@iarna32e6bbd
#8806 The "uninstall" lifecycle was being run after all of a module's dependencies has been removed. This reverses that order-- this means "uninstall" lifecycles can make use of the package's dependencies. (@iarna
MERGED FORWARD
- Check out the v2.13.1 release notes
and see all the changes we ported from
npm@2
.
v2.13.1 (2015-07-09):
KAUAI WAS NICE. I MISS IT.
But Forrest's still kinda on vacation, and not just mentally, because he's hanging out with the fine meatbags at CascadiaFest. Enjoy this small bug release.
MAKE OURSELVES HAPPY
40981f2
#8862 Make the lifecycle's safety check work with scoped packages. (@tcort)5125856
#8855 Make dependency versions of"*"
match"latest"
when all versions are prerelease. (@iarna)22fdc1d
Visually emphasize the correct way to write lifecycle scripts. (@josh-egan)
MAKE TRAVIS HAPPY
413c3ac
Use npm's2.x
branch for testing its2.x
branch. (@iarna)7602f64
Don't prompt for GnuPG passphrase in version lifecycle tests. (@othiym23)
MAKE npm outdated
HAPPY
d338668
#8796fstream-npm@1.0.4
: When packing the package tarball, npm no longer crashes for packages with certain combinations of.npmignore
entries,.gitignore
entries, and lifecycle scripts. (@iarna)dbe7c9c
nock@2.7.0
: Add matching based on query strings. (@othiym23)
There are new versions of strip-ansi
and ansi-regex
, but npm only uses them
indirectly, so we pushed them down into their dependencies where they can get
updated at their own pace.
v3.1.0 (2015-07-02):
This has been a brief week of bug fixes, plus some fun stuff merged forward from this weeks 2.x release. See the 2.13.0 release notes for details on that.
You all have been AWESOME with
all
the
npm@3
bug reports! Thank you and keep up the great work!
NEW PLACE, SAME CODE
Remember how last week we said npm@3
would go to 3.0-next
and latest
tags? Yeaaah, no, please use npm@v3.x-next
and npm@v3.x-latest
going forward.
I dunno why we said "suuure, we'll never do a feature release till we're out
of beta" when we're still forward porting npm@2.x
features. ¯\_(ツ)_/¯
If you do accidentally use the old tag names, I'll be maintaining them for a few releases, but they won't be around forever.
YUP STILL BETA, PLEASE PAY ATTENTION
THIS IS BETA SOFTWARE. npm@3
will remain in beta until we're
confident that it's stable and have assessed the effect of the breaking
changes on the community. During that time we will still be doing npm@2
releases, with npm@2
tagged as latest
and next
. We'll also be
publishing new releases of npm@3
as npm@v3.x-next
and npm@v3.x-latest
alongside those versions until we're ready to switch everyone over to
npm@3
. We need your help to find and fix its remaining bugs. It's a
significant rewrite, so we are sure there still significant bugs
remaining. So do us a solid and deploy it in non-critical CI environments
and for day-to-day use, but maybe don't use it for production maintenance
or frontline continuous deployment just yet.
BUGS ON THE WINDOWS
0030ade
#8685 Windows would hang when trying to clone git repos (@euprogramador)b259bcc
#8786 Windows permissions checks would cause installations to fail under some circumstances. We're disabling the checks entirely for this release. I'm hoping to check back with this next week to get a Windows friendly fix in. (@iarna)
SO MANY BUGS SQUASHED, JUST CALL US RAID
0848698
#8686 Stop leaving progress bar cruft on the screen during publication (@ajcrites)57c3cea
#8695 Remote packages with shrinkwraps made npm cause node + iojs to explode and catch fire. NO MORE. (@iarna)2875ba3
#8723 I uh, told you that engineStrict checking had gone away last week. TURNS OUT I LIED. So this is making that actually be true. (@iarna)28064e5
#3358 Consistently allow Unicode BOMs at the start of package.json files. Previously this was allowed some of time, like when you were installing modules, but not others, like running npm version or installing w/--save
. (@iarna)3cb6ad2
#8736npm@3
wasn't running the "install" lifecycle in your current (toplevel) module. This broke modules that relied on C compilation. BOO. (@iarna)68da583
#8766 To my great shame,npm link package
wasn't working AT ALL if you didn't havepackage
already installed. (@iarna)edd7448
read-package-tree@5.0.0
: This update makes read-package-tree not explode when there's bad data in your node_modules folder.npm@2
silently ignores this sort of thing. (@iarna)0bb08c8
#8778 RELATEDLY, we now show any errors from your node_modules folder after your installation completes as warnings. We're also reporting these innpm ls
now. (@iarna)6c248ff
#8779 Hey, you know how we used to complain if yourpackage.json
was missing stuff? Well guess what, we are again. I know, I know, you can thank me later. (@iarna)d6f7c98
So, when we were rolling back after errors we had untested code that tried to undo moves. Being untested it turns out it was very broken. I've removed it until we have time to do this right. (@iarna)
NEW VERSION
Just the one. Others came in via the 2.x release. Do check out its changelog, immediately following this message.
4e602c5
lodash@3.2.2
v2.13.0 (2015-07-02):
FORREST IS OUT! LET'S SNEAK IN ALL THE THINGS!
Well, not everything. Just a couple of goodies, like the new npm ping
command, and the ability to add files to the commits created by npm version
with the new version hooks. There's also a couple of bugfixes in npm
itself
and some of its dependencies. Here we go!
YES HELLO THIS IS NPM REGISTRY SORRY NO DOG HERE
Yes, that's right! We now have a dedicated npm ping
command. It's super simple
and super easy. You ping. We tell you whether you pinged right by saying hello
right back. This should help out folks dealing with things like proxy issues or
other registry-access debugging issues. Give it a shot!
This addresses #5750, and will help
with the npm doctor
stuff described in
#6756.
f1f7a85
Add ping command to CLI (@michaelnisi)8cec629
Add ping command to npm-registry-client (@michaelnisi)0c0c92d
Fixed ping command issues (added docs, tests, fixed minor bugs, etc) (@zkat)
I'VE WANTED THIS FOR version
SINCE LIKE LITERALLY FOREVER AND A DAY
Seriously! This patch lets you add files to the version
commit before it's
made, So you can add additional metadata files, more automated changes to
package.json
, or even generate CHANGELOG.md
automatically pre-commit if
you're into that sort of thing. I'm so happy this is there I can't even. Do you
have other fun usecases for this? Tell
npmbot (@npmjs) about it!
582f170
#8620 version: Allow scripts to add files to the commit. (@jamestalmage)
ALL YOUR FILE DESCRIPTORS ARE BELONG TO US
We've had problems in the past with things like EMFILE
errors popping up when
trying to install packages with a bunch of dependencies. Isaac patched up
graceful-fs
to handle this case
better, so we should be seeing fewer of those.
022691a
graceful-fs@4.1.2
: Updated so we can monkey patch globally. (@isaacs)c9fb0fd
Globally monkey-patch graceful-fs. This should fix some errors when installing packages with lots of dependencies. (@isaacs)
READ THE FINE DOCS. THEY'VE IMPROVED
5587d0d
Nice clarification fordirectories.bin
(@ujane)20673c7
Hey, Windows folks! Check outnvm-windows
(@ArtskydJ)
MORE NUMBERS! MORE VALUE!
5afa2d5
validate-npm-package-name@2.2.2
: Documented package name rules in README (@zeusdeux)021f4d9
rimraf@2.4.1
: #74 Use async function for bin (to better handle Window'sEBUSY
) (@isaacs)5223432
osenv@0.1.3
: Useos.homedir()
polyfill for more reliable output. io.js added the function and the polyfill does a better job than the prior solution. (@sindresorhus)8ebbc90
npm-cache-filename@1.0.2
: Make sure different git references get different cache folders. This should preventfoo/bar#v1.0
andfoo/bar#master
from sharing the same cache folder. (@tomekwi)367b854
lru-cache@2.6.5
: Minor test/typo changes (@isaacs)9fcae61
glob@5.0.13
: Tiny doc change + stop firing 'match' events for ignored items. (@isaacs)
OH AND ONE MORE THING
7827249
PeerDependencies
errors now include the package version. (@NickHeiner)
v2.12.1 (2015-06-25):
HEY WHERE DID EVERYBODY GO
I keep hearing some commotion. Is there something going on? Like, a party or something? Anyway, here's a small release with at least two significant bug fixes, at least one of which some of you have been waiting for for quite a while.
REMEMBER WHEN I SAID "REMEMBER WHEN I SAID THAT THING ABOUT PERMISSIONS?"?
npm@2.12.0
has a change that introduces a fix for a permissions problem
whereby the _locks
directory in the cache directory can up being owned by
root. The fix in 2.12.0 takes care of that problem, but introduces a new
problem for Windows users where npm tries to call process.getuid()
, which
doesn't exist on Windows. It was easy enough to fix (but more or less
impossible to test, thanks to all the external dependencies involved with
permissions and platforms and whatnot), but as a result, Windows users might
want to skip npm@2.12.0
and go straight to npm@2.12.1
. Sorry about that!
7e5da23
When using the new, "fixed" cache directory creator, be extra-careful to not callprocess.getuid()
on platforms that lack it. (@othiym23)
WHEW! ALL DONE FIXING GIT FOREVER!
New npm CLI team hero @zkat has finally (FINALLY)
fixed the regression somebody (hi!) introduced a couple months ago whereby git
URLs of the format git+ssh://user@githost.com:org/repo.git
suddenly stopped
working, and also started being saved (and cached) incorrectly. I am 100% sure
there are absolutely no more bugs in the git caching code at all ever. Mm hm.
Yep. Pretty sure. Maybe. Hmm... I hope.
Sighs audibly.
Let us know if we broke something else with this fix.
94ca4a7
#8031 Even thoughgit+ssh://user@githost.com:org/repo.git
isn't a URL, treat it like one for the purposes of npm. (@zkat)e7f56e5
#8031normalize-git-url@2.0.0
: Handle git URLs (and URL-like remote refs) in a manner consistent with npm's docs. (@zkat)
YEP, THERE ARE STILL DEPENDENCY UPGRADES
679bf47
#40read-installed@4.0.1
: Handle prerelease versions in top-level dependencies not inpackage.json
without marking those packages as invalid. (@benjamn)3a67410
tap@1.3.1
(@isaacs)151904a
nopt@3.0.3
(@isaacs)
v3.0.0 (2015-06-25):
Wow, it's finally here! This has been a long time coming. We are all delighted and proud to be getting this out into the world, and are looking forward to working with the npm user community to get it production-ready as quickly as possible.
npm@3
constitutes a nearly complete rewrite of npm's installer to be
easier to maintain, and to bring a bunch of valuable new features and
design improvements to you all.
@othiym23 and @isaacs have been talking about the changes in this release for well over a year, and it's been the primary focus of @iarna since she joined the team.
Given that this is a near-total rewrite, all changes listed here are @iarna's work unless otherwise specified.
NO, REALLY, READ THIS PARAGRAPH. IT'S THE IMPORTANT ONE.
THIS IS BETA SOFTWARE. npm@3
will remain in beta until we're
confident that it's stable and have assessed the effect of the breaking
changes on the community. During that time we will still be doing npm@2
releases, with npm@2
tagged as latest
and next
. We'll also be
publishing new releases of npm@3
as npm@3.0-next
and npm@3.0-latest
alongside those versions until we're ready to switch everyone over to
npm@3
. We need your help to find and fix its remaining bugs. It's a
significant rewrite, so we are sure there still significant bugs
remaining. So do us a solid and deploy it in non-critical CI environments
and for day-to-day use, but maybe don't use it for production maintenance
or frontline continuous deployment just yet.
BREAKING CHANGES
peerDependencies
grunt
, gulp
, and broccoli
plugin maintainers take note! You will be
affected by this change!
- #6930
(#6565)
peerDependencies
no longer cause anything to be implicitly installed. Instead, npm will now warn if a packagespeerDependencies
are missing, but it's up to the consumer of the module (i.e. you) to ensure the peers get installed / are included inpackage.json
as directdependencies
ordevDependencies
of your package. - #3803
npm also no longer checks
peerDependencies
until after it has fully resolved the tree.
This shifts the responsibility for fulfilling peer dependencies from library
/ framework / plugin maintainers to application authors, and is intended to
get users out of the dependency hell caused by conflicting peerDependency
constraints. npm's job is to keep you out of dependency hell, not put you
in it.
engineStrict
- #6931 The rarely-used
package.json
optionengineStrict
has been deprecated for several months, producing warnings when it was used. Starting withnpm@3
, the value of the field is ignored, and engine violations will only produce warnings. If you, as a user, want strictengines
field enforcement, just runnpm config set engine-strict true
.
As with the peer dependencies change, this is about shifting control from
module authors to application authors. It turns out engineStrict
was very
difficult to understand even harder to use correctly, and more often than
not just made modules using it difficult to deploy.
npm view
77f1aec
Withnpm view
(akanpm info
), always return arrays for versions, maintainers, etc. Previously npm would return a plain value if there was only one, and multiple values if there were more. (@KenanY)
KNOWN BUGS
Again, this is a BETA RELEASE, so not everything is working just yet. Here are the issues that we already know about. If you run into something that isn't on this list, let us know!
- #8575 Circular deps will never be removed by the prune-on-uninstall code.
- #8588 Local deps where the dep name and the name in the package.json differ don't result in an error.
- #8637
Modules can install themselves as direct dependencies.
npm@2
declined to do this. - #8660 Dependencies of failed optional dependencies aren't rolled back when the optional dependency is, and then are reported as extraneous thereafter.
NEW FEATURES
The multi-stage installer!
-
#5919 Previously the installer had a set of steps it executed for each package and it would immediately start executing them as soon as it decided to act on a package.
But now it executes each of those steps at the same time for all packages, waiting for all of one stage to complete before moving on. This eliminates many race conditions and makes the code easier to reason about.
This fixes, for instance:
- #6926
(#5001,
#6170)
install
andpostinstall
lifecycle scripts now only executeafter
all the module with the script's dependencies are installed.
Install: it looks different!
You'll now get a tree much like the one produced by npm ls
that
highlights in orange the packages that were installed. Similarly, any
removed packages will have their names prefixed by a -
.
Also, npm outdated
used to include the name of the module in the
Location
field:
Package Current Wanted Latest Location
deep-equal MISSING 1.0.0 1.0.0 deep-equal
glob 4.5.3 4.5.3 5.0.10 rimraf > glob
Now it shows the module that required it as the final point in the
Location
field:
Package Current Wanted Latest Location
deep-equal MISSING 1.0.0 1.0.0 npm
glob 4.5.3 4.5.3 5.0.10 npm > rimraf
Previously the Location
field was telling you where the module was on
disk. Now it tells you what requires the module. When more than one thing
requires the module you'll see it listed once for each thing requiring it.
Install: it works different!
- #6928
(#2931
#2950)
npm install
when you have annpm-shrinkwrap.json
will ensure you have the modules specified in it are installed in exactly the shape specified no matter what you had when you started. - #6913
(#1341
#3124
#4956
#6349
#5465)
npm install
when some of your dependencies are missing sub-dependencies will result in those sub-dependencies being installed. That is,npm install
now knows how to fix broken installs, most of the time. - #5465
If you directly
npm install
a module that's already a subdep of something else and your new version is incompatible, it will now install the previous version nested in the things that need it. a2b50cf
#5693 When installing a new module, if it's mentioned in yournpm-shrinkwrap.json
or yourpackage.json
use the version specifier from there if you didn't specify one yourself.
Flat, flat, flat!
Your dependencies will now be installed maximally flat. Insofar as is
possible, all of your dependencies, and their dependencies, and THEIR
dependencies will be installed in your project's node_modules
folder with no
nesting. You'll only see modules nested underneath one another when two (or
more) modules have conflicting dependencies.
- #3697 This will hopefully eliminate most cases where windows users ended up with paths that were too long for Explorer and other standard tools to deal with.
- #6912 (#4761 #4037) This also means that your installs will be deduped from the start.
- #5827 This deduping even extends to git deps.
- #6936 (#5698) Various commands are dedupe aware now.
This has some implications for the behavior of other commands:
npm uninstall
removes any dependencies of the module that you specified that aren't required by any other module. Previously, it would only remove those that happened to be installed under it, resulting in left over cruft if you'd ever deduped.npm ls
now shows you your dependency tree organized around what requires what, rather than where those modules are on disk.- #6937
npm dedupe
now flattens the tree in addition to deduping.
And bundling of dependencies when packing or publishing changes too:
- #2442 bundledDependencies no longer requires that you specify deduped sub deps. npm can now see that a dependency is required by something bundled and automatically include it. To put that another way, bundledDependencies should ONLY include things that you included in dependencies, optionalDependencies or devDependencies.
- #5437
When bundling a dependency that's both a
devDependency
and the child of a regulardependency
, npm bundles the child dependency.
As a demonstration of our confidence in our own work, npm's own
dependencies are now flattened, deduped, and bundled in the npm@3
style.
This means that npm@3
can't be packed or published by npm@2
, which is
something to be aware of if you're hacking on npm.
Shrinkwraps: they are a-changin'!
First of all, they should be idempotent now
(#5779). No more differences
because the first time you install (without npm-shrinkwrap.json
) and the
second time (with npm-shrinkwrap.json
).
- #6781
Second, if you save your changes to
package.json
and you havenpm-shrinkwrap.json
, then it will be updated as well. This applies to all of the commands that update your tree:npm install --save
npm update --save
npm dedupe --save
(#6410)npm uninstall --save
- #4944
(#5161
#5448)
Third, because
node_modules
folders are now deduped and flat, shrinkwrap has to also be smart enough to handle this.
And finally, enjoy this shrinkwrap bug fix:
- #3675
When shrinkwrapping a dependency that's both a
devDependency
and the child of a regulardependency
, npm now correctly includes the child.
The Age of Progress (Bars)!
- #6911 (#1257 #5340 #6420) The spinner is gone (yay? boo? will you miss it?), and in its place npm has progress bars, so you actually have some sense of how long installs will take. It's provided in Unicode and non-Unicode variants, and Unicode support is automatically detected from your environment.
TINY JEWELS
The bottom is where we usually hide the less interesting bits of each release, but each of these are small but incredibly useful bits of this release, and very much worth checking out:
9ebe312
Build system maintainers, rejoice: npm does a better job of cleaning up after itself in your temporary folder.- #6942 Check for permissions issues prior to actually trying to install anything.
- Emit warnings at the end of the installation when possible, so that they'll be on your screen when npm stops.
- #3505
npm --dry-run
: You can now ask that npm only report what it would have done with the new--dry-run
flag. This can be passed to any of the commands that change yournode_modules
folder:install
,uninstall
,update
anddedupe
. 81b46fb
npm now knows the correct URLs fornpm bugs
andnpm repo
for repositories hosted on Bitbucket and GitLab, just like it does for GitHub (and GitHub support now extends to projects hosted as gists as well as traditional repositories).5be4008a
npm has been cleaned up to pass thestandard
style checker. Forrest and Rebecca both feel this makes it easier to read and understand the code, and should also make it easier for new contributors to put merge-ready patches. (@othiym23)
ZARRO BOOGS
6401643
Make sure the global install directory exists before installing to it. (@thefourtheye)- #6158 When we remove modules we do so inside-out running unbuild for each one.
960a765
The short usage information for each subcommand has been brought in sync with the documentation. (@smikes)
v2.12.0 (2015-06-18):
REMEMBER WHEN I SAID THAT THING ABOUT PERMISSIONS?
About a million people have filed issues related to having a tough time using npm after they've run npm once or twice with sudo. "Don't worry about it!" I said. "We've fixed all those permissions problems ages ago! Use this one weird trick and you'll never have to deal with this again!"
Well, uh, if you run npm with root the first time you run npm on a machine, it
turns out that the directory npm uses to store lockfiles ends up being owned by
the wrong user (almost always root), and that can, well, it can cause problems
sometimes. By which I mean every time you run npm without being root it'll barf
with EACCES
errors. Whoops!
This is an obnoxious regression, and to prevent it from recurring, we've made
it so that the cache, cached git remotes, and the lockfile directories are all
created and maintained using the same utilty module, which not only creates the
relevant paths with the correct permissions, but will fix the permissions on
those directories (if it can) when it notices that they're broken. An npm install
run as root ought to be sufficient to fix things up (and if that
doesn't work, first tell us about it, and then run sudo chown -R $(whoami) $HOME/.npm
)
Also, I apologize for inadvertently gaslighting any of you by claiming this bug wasn't actually a bug. I do think we've got this permanently dealt with now, but I'll be paying extra-close attention to permissions issues related to the cache for a while.
I WENT TO NODECONF AND ALL I GOT WAS THIS LOUSY SPDX T-SHIRT
That's not literally true. We spent very little time discussing SPDX, @kemitchell is a champ, and I had a lot of fun playing drum & bass to a mostly empty Boogie Barn and only ended up with one moderately severe cold for my pains. Another winner of a NodeConf! (I would probably wear a SPDX T-shirt if somebody gave me one, though.)
A bunch of us did have a spirited discussion of the basics of open-source
intellectual property, and the convergence of me,
@kemitchell, and
@jandrieu in one place allowed us to hammmer out
a small but significant issue that had been bedeviling early adopters of the
new SPDX expression syntax in package.json
license fields: how to deal with
packages that are left without a license on purpose.
Refer to the docs
for the specifics, but the short version is that instead of using
LicenseRef-LICENSE
for proprietary licenses, you can now use either
UNLICENSED
if you want to make it clear that you don't want your software
to be licensed (and want npm to stop warning you about this), or SEE LICENSE IN <filename>
if there's a license with custom text you want to use. At some
point in the near term, we'll be updating npm to verify that the mentioned
file actually exists, but for now you're all on the honor system.
4827fc7
#8557normalize-package-data@2.2.1
: AllowUNLICENSED
andSEE LICENSE IN <filename>
in "license" field ofpackage.json
. (@kemitchell)16a3dd5
#8557 Document the new accepted values for the "license" field. (@kemitchell)8155311
#8557init-package-json@1.7.0
: Support new "license" field values at init time. (@kemitchell)
SMALLISH BUG FIXES
9d8cac9
#8548 Remove extraneous newline fromnpm view
output, making it easier to use in shell scripts. (@eush77)765fd4b
#8521 When checking for outdated packages, or updating packages, raise an error when the registry is unreachable instead of silently "succeeding". (@ryantemple)
SMALLERISH DOCUMENTATION TWEAKS
5018335
#8365 Add details about which git environment variables are whitelisted by npm. (@nmalaguti)bed9edd
#8554 Fix typo in version docs. (@rainyday)
WELL, I GUESS THERE ARE MORE DEPENDENCY UPGRADES
7ce2f06
request@2.58.0
: Refactor tunneling logic, and useextend
instead of abusingutil._extend
. (@simov)e6c6195
nock@2.6.0
: Refined interception behavior. (@pgte)9583cc3
fstream-npm@1.0.3
: Ensure thatmain
entry inpackage.json
is always included in the bundled package tarball. (@coderhaoxin)df89493
fstream@1.0.7
(@isaacs)9744049
dezalgo@1.0.3
:dezalgo
should be usable in the browser, and can be now thatasap
has been upgraded to be browserifiable. (@mvayngrib)
v2.11.3 (2015-06-11):
This was a very quiet week. This release was done by @iarna, while the rest of the team hangs out at NodeConf Adventure!
TESTS IN 0.8 FAIL LESS
THE TREADMILL OF UPDATES NEVER CEASES
9f439da
spdx@0.4.1
: License range updates (@kemitchell)2dd055b
normalize-package-data@2.2.1
: Fixes a crashing bug when the package.jsonscripts
property is not an object. (@iarna)e02e85d
osenv@0.1.2
: Switches to using theos-tmpdir
module instead ofos.tmpdir()
for greate consistency in behavior between node versions. (@iarna)a6f0265
ini@1.3.4
(@isaacs)7395977
rimraf@2.4.0
(@isaacs)
v2.11.2 (2015-06-04):
Another small release this week, brought to you by the latest addition to the CLI team, @zkat (Hi, all!)
Mostly small documentation tweaks and version updates. Oh! And npm outdated
is actually sorted now. Rejoice!
It's gonna be a while before we get another palindromic version number. Enjoy it while it lasts. :3
QUALITY OF LIFE HAS NEVER BEEN BETTER
31aada4
#8401npm outdated
output is just that much nicer to consume now, due to sorting by name. (@watilde)458a919
#8469 Explicitly setcwd
forpreversion
,version
, andpostversion
scripts. This makes the scripts findable relative to the root dir. (@alexkwolfe)55d6d71
Ensure package name and version are included in display duringnpm version
lifecycle execution. Gets rid of those littleundefined
s in the console. (@othiym23)
WORDS HAVE NEVER BEEN QUITE THIS READABLE
3901e49
#8462 English apparently requires correspondence between indefinite articles and attached nouns. (@Enet4)5a744e4
#8421 The effect ofnpm prune
's--production
flag and how to use it have been documented a bit better. (@foiseworth)eada625
We've updated our.mailmap
andAUTHORS
files to make sure credit is given where credit is due. (@othiym23)
VERSION NUMBERS HAVE NEVER BEEN BIGGER
c929fd1
readable-stream@1.1.13
: Manually dedupedv1.1.13
(streams3) to make deduping more reliable onnpm@<3
. (@othiym23)a9b4b78
request@2.57.0
: Replace dependency on IncomingMessage's.client
with.socket
as the former was deprecated in io.js 2.2.0. (@othiym23)4b5e557
abbrev@1.0.7
: Better testing, with coverage. (@othiym23)561affe
semver@4.3.6
: .npmignore added for less cruft, and better testing, with coverage. (@othiym23)60aef3c
graceful-fs@3.0.8
: io.js fixes. (@zkat)f8bd453
config-chain@1.1.9
: Added MIT license to package.json (@zkat)
v2.11.1 (2015-05-28):
This release brought to you from poolside at the Omni Amelia Island Resort and JSConf 2015, which is why it's so tiny.
CONFERENCE WIFI CAN'T STOP THESE BUG FIXES
cf109a6
#8381 Documented a subtle gotcha with.npmrc
, which is that it needs to have its permissions set such that only the owner can read or write the file. (@colakong)180da67
#8365 Git 2.3 adds support forGIT_SSH_COMMAND
, which allows you to pass an explicit git command (with, for example, a specific identity passed in on the command line). (@nmalaguti)
MY (VIRGIN) PINA COLADA IS GETTING LOW, BETTER UPGRADE THESE DEPENDENCIES
b72de41
node-gyp@2.0.0
: Use a newer version ofgyp
, and generally improve support for Visual Studios and Windows. (@TooTallNate)8edbe21
node-gyp@2.0.1
: Don't crash when Python's version doesn't parse as valid semver. (@TooTallNate)ba0e0a8
glob@5.0.10
: Add coverage to tests. (@isaacs)7333701
request@2.56.0
: Bug fixes and dependency upgrades. (@simov)
v2.11.0 (2015-05-21):
For the first time in a very long time, we've added new events to the life
cycle used by npm run-script
. Since running npm version (major|minor|patch)
is typically the last thing many developers do before publishing their updated
packages, it makes sense to add life cycle hooks to run tests or otherwise
preflight the package before doing a full publish. Thanks, as always, to the
indefatigable @watilde for yet another great
usability improvement for npm!
FEATURELETS
b07f7c7
#7906 Add newscripts
to allow you to run scripts before and after thenpm version
command has run. This makes it easy to, for instance, require that your test suite passes before bumping the version by just adding"preversion": "npm test"
to the scripts section of yourpackage.json
. (@watilde)8a46136
#8185 When we get a "not found" error from the registry, we'll now check to see if the package name you specified is invalid and if so, give you a better error message. (@thefourtheye)
BUG FIXES
9bcf573
#8324 On Windows, when you've configured a customnode-gyp
, run it with node itself instead of using the default open action (which is almost never what you want). (@bangbang93)1da9b04
#7195 #7260npm-registry-client@6.4.0
: (Re-)allow publication of existing mixed-case packages (part 1). (@smikes)e926783
#7195 #7260normalize-package-data@2.2.0
: (Re-)allow publication of existing mixed-case packages (part 2). (@smikes)
DOCUMENTATION IMPROVEMENTS
f62ee05
#8314 Update the README to warn folks away from using the CLI's internal API. For the love of glob, just use a child process to run the CLI! (@claycarpenter)1093921
#8279 Update the documentation to note that, yes, you can publish scoped packages to the public registry now! (@mantoni)f87cde5
#8292 Fix typo in an example and grammar in the description in the shrinkwrap documentation. (@vshih)d3526ce
Improve the formatting in the shrinkwrap documentation. (@othiym23)19fe6d2
#8311 Update README.md to use syntax highlighting in its code samples and bits of shell scripts. (@SimenB)
DEPENDENCY UPDATES! ALWAYS AND FOREVER!
fc52160
#4700 #5044init-package-json@1.6.0
: Make entering an invalid version while runningnpm init
give you an immediate error and prompt you to correct it. (@watilde)738853e
#7763fs-write-stream-atomic@1.0.3
: Fix a bug where errors would not propagate, making error messages unhelpful. (@iarna)6d74a2d
npm-package-arg@4.0.1
: Fix tests on windows (@Bacra) and with more recenthosted-git-info
. (@iarna)50f7178
hosted-git-info@2.1.4
: Correct spelling in its documentation. (@iarna)d7956ca
glob@5.0.7
: Fix a bug where unusual error conditions could make further use of the module fail. (@isaacs)44f7d74
tap@1.1.0
: Update to the most recent tap to get a whole host of bug fixes and integration with coveralls. (@isaacs)c21e8a8
nock@2.2.0
(@othiym23)
LICENSE FILES FOR THE LICENSE GOD
- Add missing ISC license file to package (@kasicka):
SPDX LICENSE UPDATES
- Switch license to BSD-2-Clause from plain "BSD" (@isaacs):
- Switch license to ISC from BSD (@isaacs):
- Switch license to ISC from MIT (@isaacs):
v2.10.1 (2015-05-14):
BUG FIXES & DOCUMENTATION TWEAKS
dc77520
When getting back a 404 from a request to a private registry that uses a registry path that extends past the root (http://registry.enterprise.co/path/to/registry
), display the name of the nonexistent package, rather than the first element in the registry API path. Sorry, Artifactory users! (@hayes)f70dea9
Make clearer that--registry
can be used on a per-publish basis to push a package to a non-default registry. (@mischkl)a3e26f5
Did you know that GitHub shortcuts can have commit-ishes included (org/repo#branch
)? They can! (@iarna)0e2c091
Some errors fromreadPackage
were being swallowed, potentially leading to invalid package trees on disk. (@smikes)
DEPENDENCY UPDATES! STILL! MORE! AGAIN!
0b901ad
lru-cache@2.6.3
: Removed some cruft from the published package. (@isaacs)d713e0b
mkdirp@0.5.1
: Made compliant withstandard
, dropped support for Node 0.6, added (Travis) support for Node 0.12 and io.js. (@isaacs)a2d6578
glob@1.0.3
: Updated to usetap@1
. (@isaacs)64cd1a5
fstream@ 1.0.6
: Made compliant withstandard
(done by @othiym23, and then debugged and fixed by @iarna), and license changed to ISC. (@othiym23 / @iarna)b527a7c
which@1.1.1
: Callers can pass in their ownPATH
instead of relying onprocess.env
. (@isaacs)
v2.10.0 (2015-05-8):
THE IMPLICATIONS ARE MORE PROFOUND THAN THEY APPEAR
If you've done much development in The Enterprise®™, you know that keeping track of software licenses is far more important than one might expect / hope / fear. Tracking licenses is a hassle, and while many (if not most) of us have (reluctantly) gotten around to setting a license to use by default with all our new projects (even if it's just WTFPL), that's about as far as most of us think about it. In big enterprise shops, ensuring that projects don't inadvertently use software with unacceptably encumbered licenses is serious business, and developers spend a surprising (and appalling) amount of time ensuring that licensing is covered by writing automated checkers and other license auditing tools.
The Linux Foundation has been working on a machine-parseable syntax for license
expressions in the form of SPDX, an appropriately
enterprisey acronym. IP attorney and JavaScript culture hero Kyle
Mitchell has put a considerable amount of effort into
bringing SPDX to JavaScript and Node. He's written
spdx.js
, a JavaScript SPDX
expression parser, and has integrated it into npm in a few different ways.
For you as a user of npm, this means:
- npm now has proper support for dual licensing in
package.json
, due to SPDX's compound expression syntax. Runnpm help package.json
for details. - npm will warn you if the
package.json
for your project is either missing a"license"
field, or if the value of that field isn't a valid SPDX expression (pro tip:"BSD"
becomes"BSD-2-Clause"
in SPDX (unless you really want one of its variants);"MIT"
and"ISC"
are fine as-is; the full list is its own package). npm init
now demands that you use a valid SPDX expression when using it interactively (pro tip: I mostly usenpm init -y
, having previously runnpm config set init.license=MIT
/npm config set init.author.email=foo
/npm config set init.author.name=me
).- The documentation for
package.json
has been updated to tell you how to use the"license"
field properly with SPDX.
In general, this shouldn't be a big deal for anybody other than people trying to run their own automated license validators, but in the long run, if everybody switches to this format, many people's lives will be made much simpler. I think this is an important improvement for npm and am very thankful to Kyle for taking the lead on this. Also, even if you think all of this is completely stupid, just choose a license anyway. Future you will thank past you someday, unless you are djb, in which case you are djb, and more power to you.
8669f7d
#8179 Document how to use SPDX inlicense
stanzas inpackage.json
, including how to migrate from old busted license declaration arrays to fancy new compound-license clauses. (@kemitchell)98ad98c
#8197init-package-json@1.5.0
Ensure that packages bootstrapped withnpm init
use an SPDX-compliant license expression. (@kemitchell)2ad3905
#8197normalize-package-data@2.1.0
: Warn when a package is missing a license declaration, or using a license expression that isn't valid SPDX. (@kemitchell)127bb73
#8197tar@2.1.1
: Switch fromBSD
toISC
for license, where the latter is valid SPDX. (@othiym23)e9a933a
#8197once@1.3.2
: Switch fromBSD
toISC
for license, where the latter is valid SPDX. (@othiym23)412401f
#8197semver@4.3.4
: Switch fromBSD
toISC
for license, where the latter is valid SPDX. (@othiym23)
As a corollary to the previous changes, I've put some work into making npm install
spew out fewer pointless warnings about missing values in transitive
dependencies. From now on, npm will only warn you about missing READMEs,
license fields, and the like for top-level projects (including packages you
directly install into your application, but we may relax that eventually).
Practically nobody liked having those warnings displayed for child dependencies, for the simple reason that there was very little that anybody could do about those warnings, unless they happened to be the maintainers of those dependencies themselves. Since many, many projects don't have SPDX-compliant licenses, the number of warnings reached a level where they ran the risk of turning into a block of visual noise that developers (read: me, and probably you) would ignore forever.
So I fixed it. If you still want to see the messages about child dependencies,
they're still there, but have been pushed down a logging level to info
. You
can display them by running npm install -d
or npm install --loglevel=info
.
eb18245
Only warn on normalization errors for top-level dependencies. Transitive dependency validation warnings are logged atinfo
level. (@othiym23)
BUG FIXES
e40e809
tap@1.0.1
: TAP: The Next Generation. Fix up many tests to they work properly with the new major version ofnode-tap
. Look at all the colors! (@isaacs)f9314e9
nock@1.9.0
: Minor tweaks and bug fixes. (@pgte)45c2b1a
#8187npm ls
wasn't properly recognizing dependencies installed from GitHub repositories as git dependencies, and so wasn't displaying them as such. (@zornme)1ab57c3
In some cases,npm help
was using something that looked like a regular expression where a glob pattern should be used, and vice versa. (@isaacs)
v2.9.1 (2015-04-30):
WOW! MORE GIT FIXES! YOU LOVE THOSE!
The first item below is actually a pretty big deal, as it fixes (with a
one-word change and a much, much longer test case (thanks again,
@iarna)) a regression that's been around for months
now. If you're depending on multiple branches of a single git dependency in a
single project, you probably want to check out npm@2.9.1
and verify that
things (again?) work correctly in your project.
178a6ad
#7202 When caching git dependencies, do so by the whole URL, including the branch name, so that if a single application depends on multiple branches from the same repository (in practice, multiple version tags), every install is of the correct version, instead of reusing whichever branch the caching process happened to check out first. (@iarna)63b79cc
#8084 Ensure that Bitbucket, GitHub, and Gitlab dependencies are installed the same way as non-hosted git dependencies, fixingnpm install --link
. (@laiso)
DOCUMENTATION FIXES AND TWEAKS
These changes may seem simple and small (except Lin's fix to the package name restrictions, which was more an egregious oversight on our part), but cleaner documentation makes npm significantly more pleasant to use. I really appreciate all the typo fixes, clarifications, and formatting tweaks people send us, and am delighted that we get so many of these pull requests. Thanks, everybody!
ca478dc
#8137 Somehow, we had failed to clearly document the full restrictions on package names. @linclark has now fixed that, although we will take with us to our graves the reasons why the maximum package name length is 214 characters (well, OK, it was that that was the longest name in the registry when we decided to put a cap on the name length). (@linclark)b574076
#8079 Make thenpm shrinkwrap
documentation use code formatting for examples consistently. It would be great to do this for more commands HINT HINT. (@RichardLitt)1ff636e
#8105 Document that the globalnpmrc
goes in$PREFIX/etc/npmrc
, instead of$PREFIX/npmrc
. (@anttti)c3f2f7c
#8127 Document how to usenpm run build
directly (hint: it's different fromnpm build
!). (@mikemaccana)873e467
#8069 Take the old, dead npm mailing list address out ofpackage.json
. It seems that people don't have much trouble figuring out how to report errors to npm. (@robertkowalski)
ENROBUSTIFICATIONMENT
5abfc9c
#7973npm run-script
completion will only suggest run scripts, instead of including dependencies. If for some reason you still wanted it to suggest dependencies, let us know. (@mantoni)4b564f0
#8081 Useosenv
to parse the environment'sPATH
in a platform-neutral way. (@watilde)a4b6238
#8094 When we refactored the configuration code to split out checking for IPv4 local addresses, we inadvertently completely broke it by failing to return the values. In addition, just the call toos.getInterfaces()
could throw on systems where querying the network configuration requires elevated privileges (e.g. Amazon Lambda). Add the return, and trap errors so they don't cause npm to explode. Thanks to @mhart for bringing this to our attention! (@othiym23)
DEPENDENCY UPDATES WAIT FOR NO SOPHONT
000cd8b
rimraf@2.3.3
: More informative assertions on argument validation failure. (@isaacs)530a2e3
lru-cache@2.6.2
: Revert to old key access-time behavior, as it was correct all along. (@isaacs)d88958c
minimatch@2.0.7
: Feature detection and test improvements. (@isaacs)3fa39e4
nock@1.7.1
(@pgte)
v2.9.0 (2015-04-23):
This week was kind of a breather to concentrate on fixing up the tests on the
multi-stage
branch, and not mess with git issues for a little while.
Unfortunately, There are now enough severe git issues that we'll probably have
to spend another couple weeks tackling them. In the meantime, enjoy these two
small features. They're just enough to qualify for a semver-minor bump:
NANOFEATURES
2799322
#7426 Include local modules innpm outdated
andnpm update
. (@ArnaudRinquin)2114862
#8014 The prefix used before the version on version tags is now configurable viatag-version-prefix
. Be careful with this one and read the docs before using it. (@kkragenbrink)
OTHER MINOR TWEAKS
18ce0ec
#3032npm unpublish
will now use the registry set inpackage.json
, just likenpm publish
. This only applies, for now, when unpublishing the entire package, as unpublishing a single version requires the name be included on the command line and therefore doesn't read frompackage.json
. (@watilde)9ad2100
#8008 Once again, when considering what to install onnpm install
, includedevDependencies
. (@smikes)5466260
#8003 Clarify the documentation around scopes to make it easier to understand how they support private packages. (@smikes)
DEPENDENCIES WILL NOT STOP UNTIL YOU ARE VERY SLEEPY
faf65a7
init-package-json@1.4.2
: If there are multiple validation errors and warnings, ensure they all get displayed (includes a rad new way of testinginit-package-json
contributed by @michaelnisi). (@MisumiRize)7f10f38
editor@1.0.0
:1.0.0
is literally more than0.1.0
(no change aside from version number). (@substack)4979af3
#6805npm-registry-client@6.3.3
: Decode scoped package names sent by the registry so they look nicer. (@mmalecki)
v2.8.4 (2015-04-16):
This is the fourth release of npm this week, so it's mostly just landing a few
small outstanding PRs on dependencies and some tiny documentation tweaks.
npm@2.8.3
is where the real action is.
ee2bd77
#7983tar@2.1.0
: Better error reporting in corrupted tar files, and add support for thefromBase
flag (rescued from the dustbin of history by @deanmarano). (@othiym23)d8eee6c
init-package-json@1.4.1
: Add support for a default author, and only add scope to a package name once. (@othiym23)4fc5d98
lru-cache@2.6.1
: Small tweaks to cache value aging and entry counting that are irrelevant to npm. (@isaacs)1fe5840
#7946 Makenpm init
text friendlier. (@sandfox)
v2.8.3 (2015-04-15):
TWO SMALL GIT TWEAKS
This is the last of a set of releases intended to ensure npm's git support is robust enough that we can stop working on it for a while. These fixes are small, but prevent a common crasher and clear up one of the more confusing error messages coming out of npm when working with repositories hosted on git.
387f889
#7961 Ensure that hosted git SSH URLs always have a valid protocol when stored inresolved
fields innpm-shrinkwrap.json
. (@othiym23)394c2f5
Switch the order in which hosted Git providers are checked togit:
,git+https:
, thengit+ssh:
(fromgit:
,git+ssh:
, thengit+https:
) in an effort to go from most to least likely to succeed, to make for less confusing error message. (@othiym23)
v2.8.2 (2015-04-14):
PEACE IN OUR TIME
npm has been having an issue with CouchDB's web server since the release
of io.js and Node.js 0.12.0 that has consumed a huge amount of my time
to little visible effect. Sam Mikes picked up the thread from me, and
after a lot of effort
figured out that ultimately there are probably a couple problems with
the new HTTP Agent keep-alive handling in new versions of Node. In
addition, npm-registry-client
was gratuitously sending a body along
with a GET request which was triggering the bugs. Sam removed about 10 bytes from
one file in npm-registry-client
, and this problem, which has been bugging us for months,
completely went away.
In conclusion, Sam Mikes is great, and anybody using a private registry hosted on CouchDB should thank him for his hard work. Also, thanks to the community at large for pitching in on this bug, which has been around for months now.
431c3bf
#7699npm-registry-client@6.3.2
: Don't send body with HTTP GET requests when logging in. (@smikes)
v2.8.1 (2015-04-12):
CORRECTION: NPM'S GIT INTEGRATION IS DOING OKAY
A helpful bug report
led to another round of changes to
hosted-git-info
,
some additional test-writing, and a bunch of hands-on testing against actual
private repositories. While the complexity of npm's git dependency handling is
nearly fractal (because npm is very complex, and git is even more complex),
it's feeling way more solid than it has for a while. We think this is a
substantial improvement over what we had before, so give npm@2.8.1
a shot if
you have particularly complex git use cases and
let us know how it goes.
(NOTE: These changes mostly affect cloning and saving references to packages hosted in git repositories, and don't address some known issues with things like lifecycle scripts not being run on npm dependencies. Work continues on other issues that affect parity between git and npm registry packages.)
66377c6
#7872hosted-git-info@2.1.2
: Pass through credentials embedded in SSH and HTTPs git URLs. (@othiym23)15efe12
#7872 Use the new version ofhosted-git-info
to pass along credentials embedded in git URLs. Test it. Test it a lot. (@othiym23)
SCOPED DEPENDENCIES AND PEER DEPENDENCIES: NOT QUITE REESE'S
Big thanks to @ewie for identifying an issue with
how npm was handling peerDependencies
that were implicitly installed from the
package.json
files of scoped dependencies. This
will be a moot point
with the release of npm@3
, but until then, it's important that
peerDependency
auto-installation work as expected.
b027319
#7920 Scoped packages withpeerDependencies
were installing thepeerDependencies
into the wrong directory. (@ewie)649e31a
#7920 TestpeerDependency
installs involving scoped packages usingnpm-package-arg
instead of simple path tests, for consistency. (@othiym23)
MAKING IT EASIER TO WRITE NPM TESTS, VERSION 0.0.1
@iarna and I
(@othiym23) have been discussing a
candidate plan
for improving npm's test suite, with the goal of making it easier for new
contributors to get involved with npm by reducing the learning curve
necessary to be able to write good tests for proposed changes. This is the
first substantial piece of that effort. Here's what the commit message for
ed7e249
had to say about this work:
It's too difficult for npm contributors to figure out what the conventional style is for tests. Part of the problem is that the documentation in CONTRIBUTING.md is inadequate, but another important factor is that the tests themselves are written in a variety of styles. One of the most notable examples of this is the fact that many tests use fixture directories to store precooked test scenarios and package.json files.
This had some negative consequences:
- tests weren't idempotent
- subtle dependencies between tests existed
- new tests get written in this deprecated style because it's not obvious that the style is out of favor
- it's hard to figure out why a lot of those directories existed, because they served a variety of purposes, so it was difficult to tell when it was safe to remove them
All in all, the fixture directories were a major source of technical debt, and cleaning them up, while time-consuming, makes the whole test suite much more approachable, and makes it more likely that new tests written by outside contributors will follow a conventional style. To support that, all of the tests touched by this changed were cleaned up to pass the
standard
style checker.
And here's a little extra context from a comment I left on #7929:
One of the other things that encouraged me was looking at this presentation on technical debt from Pycon 2015, especially slide 53, which I interpreted in terms of difficulty getting new contributors to submit patches to an OSS project like npm. npm has a long ways to go, but I feel good about this change.
ed7e249
#7929 Eliminate fixture directories fromtest/tap
, leaving each test self-contained. (@othiym23)4928d30
#7929 Move fixture files fromtest/tap/*
totest/fixtures
. (@othiym23)e925deb
#7929 Tweak the run scripts to stop slaughtering the CPU on doc rebuild. (@othiym23)65bf7cf
#7923 Use an alias of scripts and run-scripts innpm run test-all
(@watilde)756a3fb
#7923 Sync timeout time ofnpm run-script test-all
to be the same astest
andtap
scripts. (@watilde)8299b5f
Set a timeout for tap tests fornpm run-script test-all
. (@othiym23)
THE EVER-BEATING DRUM OF DEPENDENCY UPDATES
d90d0b9
#7924 Removechild-process-close
, as it was included for Node 0.6 compatibility, and npm no longer supports 0.6. (@robertkowalski)16427c1
lru-cache@2.5.2
: More accurate updating of expiry times whenmaxAge
is set. (@isaacs)03cce83
nock@1.6.0
: Mocked network error handling. (@pgte)f93b1f0
glob@5.0.5
: Usepath-is-absolute
polyfill, allowing newer Node.js and io.js versions to usepath.isAbsolute()
. (@sindresorhus)a70d694
request@2.55.0
: Bug fixes and simplification. (@simov)2aecc6f
columnify@1.5.1
: Switch to using babel from 6to5. (@timoxley)
v2.8.0 (2015-04-09):
WE WILL NEVER BE DONE FIXING NPM'S GIT SUPPORT
If you look at the last release's release
notes,
you will note that they confidently assert that it's perfectly OK to force all
GitHub URLs through the same git:
-> git+ssh:
fallback flow for cloning. It
turns out that many users depend on git+https:
URLs in their build
environments because they use GitHub auth tokens instead of SSH keys. Also, in
some cases you just want to be able to explicitly say how a given dependency
should be cloned from GitHub.
Because of the way we resolved the inconsistency in GitHub shorthand handling
before, this
turned out to be difficult to work around. So instead of hacking around it, we
completely redid how git is handled within npm and its attendant packages.
Again. This time, we changed things so that normalize-package-data
and
read-package-json
leave more of the git logic to npm itself, which makes
handling shorthand syntax consistently much easier, and also allows users to
resume using explicit, fully-qualified git URLs without npm messing with them.
Here's a summary of what's changed:
- Instead of converting the GitHub shorthand syntax to a
git+ssh:
,git:
, orgit+https:
URL and saving that, save the shorthand itself topackage.json
. - If presented with shortcuts, try cloning via the git protocol, SSH, and HTTPS (in that order).
- No longer prompt for credentials -- it didn't work right with the spinner,
and wasn't guaranteed to work anyway. We may experiment with doing this a
better way in the future. Users can override this by setting
GIT_ASKPASS
in their environment if they want to experiment with interactive cloning, but should also set--no-spin
on the npm command line (or runnpm config set spin=false
). - EXPERIMENTAL FEATURE: Add support for
github:
,gist:
,bitbucket:
, andgitlab:
shorthand prefixes. GitHub shortcuts will continue to be normalized toorg/repo
instead of being saved asgithub:org/repo
, butgitlab:
,gist:
, andbitbucket:
prefixes will be used on the command line and frompackage.json
. BE CAREFUL WITH THIS.package.json
files published with the new shorthand syntax can only be read bynpm@2.8.0
and later, and this feature is mostly meant for playing around with it. If you want to save git dependencies in a form that older versions of npm can read, use--save-exact
, which will save the git URL and resolved commit hash of the head of the branch in a manner similar to the way that--save-exact
pins versions for registry dependencies. This is documented (so checknpm help install
for details), but we're not going to make a lot of noise about it until it has a chance to bake in a little more.
It is @othiym23's sincere hope that this will resolve all of the inconsistencies users were seeing with GitHub and git-hosted packages, but given the level of change here, that may just be a fond wish. Extra testing of this change is requested.
6b0f588
#7867 Use git shorthand and git URLs as presented by user. Support newhosted-git-info
shortcut syntax. Save shorthand inpackage.json
. Try cloning viagit:
,git+ssh:
, andgit+https:
, in that order, when supported by the underlying hosting provider. (@othiym23)75d4267
#7867 Document new GitHub, GitHub gist, Bitbucket, and GitLab shorthand syntax. (@othiym23)7d92c75
#7867 When--save-exact
is used with git shorthand or URLs, save the fully-resolved URL, with branch name resolved to the exact hash for the commit checked out. (@othiym23)9220e59
#7867 Ensure that non-prefixed and non-normalized GitHub shortcuts are saved topackage.json
. (@othiym23)dd398e9
#7867hosted-git-info@2.1.1
: Ensure thatgist:
shorthand survives being round-tripped throughpackage.json
. (@othiym23)33d1420
#7867hosted-git-info@2.1.0
: Add support for auth embedded directly in git URLs. (@othiym23)23a1d5a
#7867hosted-git-info@2.0.2
: Make it possible to determine in which form a hosted git URL was passed. (@iarna)eaf75ac
#7867normalize-package-data@2.0.0
: Normalize GitHub specifiers so they pass through shortcut syntax and preserve explicit URLs. (@iarna)95e0535
#7867npm-package-arg@4.0.0
: Add git URL and shortcut to hosted git spec and usehosted-git-info@2.0.2
. (@iarna)a808926
#7867realize-package-specifier@3.0.0
: Usenpm-package-arg@4.0.0
and test shortcut specifier behavior. (@iarna)6dd1e03
#7867init-package-json@1.4.0
: Allow dependency onread-package-json@2.0.0
. (@iarna)63254bb
#7867read-installed@4.0.0
: Useread-package-json@2.0.0
. (@iarna)254b887
#7867read-package-json@2.0.0
: Usenormalize-package-data@2.0.0
. (@iarna)0b9f8be
#7867npm-registry-client@6.3.0
: Mark compatibility withnormalize-package-data@2.0.0
andnpm-package-arg@4.0.0
. (@iarna)f40ecaa
#7867 Extract a common method to use when cloning git repos for testing. (@othiym23)
TEST FIXES FOR NODE 0.8
npm continues to get closer to being completely green on Travis for Node 0.8.
26d36e9
#7842 When spawning child processes, map exit code 127 to ENOENT so Node 0.8 handles child process failures the same as later versions. (@SonicHedgehog)54cd895
#7842 Node 0.8 requires -e with -p when evaluating snippets; fix test. (@SonicHedgehog)
SMALL FIX AND DOC TWEAK
20e9003
tar@2.0.1
: Fix regression where relative symbolic links within an extraction root that pointed within an extraction root would get normalized to absolute symbolic links. (@isaacs)2ef8898
#7879 Better document thatnpm publish --tag=foo
will not setlatest
to that version. (@linclark)
v2.7.6 (2015-04-02):
GIT MEAN, GIT TUFF, GIT ALL THE WAY AWAY FROM MY STUFF
Part of the reason that we're reluctant to take patches to how npm deals with
git dependencies is that every time we touch the git support, something breaks.
The last few releases are a case in point. npm@2.7.4
completely broke
installing private modules from GitHub, and npm@2.7.5
fixed them at the cost
of logging a misleading error message that caused many people to believe that
their dependencies hadn't been successfully installed when they actually had
been.
This all started from a desire to ensure that GitHub shortcut syntax is being
handled correctly. The correct behavior is for npm to try to clone all
dependencies on GitHub (whether they're specified with the GitHub
organization/repository
shortcut syntax or not) via the plain git:
protocol
first, and to fall back to using git+ssh:
if git:
doesn't work. Previously,
sometimes npm would use git:
and git+ssh:
in some cases (most notably when
using GitHub shortcut syntax on the command line), and use git+https:
in
others (when the GitHub shortcut syntax was present in package.json
). This
led to subtle and hard-to-understand inconsistencies, and we're glad that as of
npm@2.7.6
, we've finally gotten things to where they were before we started,
only slightly more consistent overall.
We are now going to go back to our policy of being extremely reluctant to touch the code that handles Git dependencies.
b747593
#7630 Don't automatically log all git failures as errors.maybeGithub
needs to be able to fail without logging to support its fallback logic. (@othiym23)cd67a0d
#7829 When fetching a git remote URL, handle failures gracefully (without assuming standard output exists). (@othiym23)637c7d1
#7829 When fetching a git remote URL, handle failures gracefully (without assuming standard error exists). (@othiym23)