search

NodeOS / nodeos-usersfs

2 stars 7 forks source link

Update npm to the latest version 🚀 #19

Closed greenkeeper[bot] closed 6 years ago

greenkeeper[bot] commented 7 years ago

Version 5.0.0 of npm just got published.

Dependency npm
Current Version 4.6.1
Type devDependency

The version 5.0.0 is not covered by your current version range.

Without accepting this pull request your project will work just like it did before. There might be a bunch of new features, fixes and perf improvements that the maintainers worked on for you though.

I recommend you look into these changes and try to get onto the latest version of npm. Given that you have a decent test suite, a passing build is a strong indicator that you can take advantage of these changes by merging the proposed change into your project. Otherwise this branch is a great starting point for you to work on the update.

Release Notes v5.0.0

Wowowowowow npm@5!

This release marks months of hard work for the young, scrappy, and hungry CLI team, and includes some changes we've been hoping to do for literally years. npm@5 takes npm a pretty big step forward, significantly improving its performance in almost all common situations, fixing a bunch of old errors due to the architecture, and just generally making it more robust and fault-tolerant. It comes with changes to make life easier for people doing monorepos, for users who want consistency/security guarantees, and brings semver support to git dependencies. See below for all the deets!

Breaking Changes

  • Existing npm caches will no longer be used: you will have to redownload any cached packages. There is no tool or intention to reuse old caches. (#15666)

  • npm install ./packages/subdir will now create a symlink instead of a regular installation. file://path/to/tarball.tgz will not change -- only directories are symlinked. (#15900)

  • npm will now scold you if you capitalize its name. seriously it will fight you.

  • npm will --save by default now. Additionally, package-lock.json will be automatically created unless an npm-shrinkwrap.json exists. (#15666)

  • Git dependencies support semver through user/repo#semver:^1.2.3 (#15308) (#15666) (@sankethkatta)

  • Git dependencies with prepare scripts will have their devDependencies installed, and npm install run in their directory before being packed.

  • npm cache commands have been rewritten and don't really work anything like they did before. (#15666)

  • --cache-min and --cache-max have been deprecated. (#15666)

  • Running npm while offline will no longer insist on retrying network requests. npm will now immediately fall back to cache if possible, or fail. (#15666)

  • package locks no longer exclude optionalDependencies that failed to build. This means package-lock.json and npm-shrinkwrap.json should now be cross-platform. (#15900)

  • If you generated your package lock against registry A, and you switch to registry B, npm will now try to install the packages from registry B, instead of A. If you want to use different registries for different packages, use scope-specific registries (npm config set @myscope:registry=https://myownregist.ry/packages/). Different registries for different unscoped packages are not supported anymore.

  • Shrinkwrap and package-lock no longer warn and exit without saving the lockfile.

  • Local tarballs can now only be installed if they have a file extensions .tar, .tar.gz, or .tgz.

  • A new loglevel, notice, has been added and set as default.

  • One binary to rule them all: ./cli.js has been removed in favor of ./bin/npm-cli.js. In case you were doing something with ./cli.js itself. (#12096) (@watilde)

  • Stub file removed (#16204) (@watilde)

  • The "extremely legacy" _token couchToken has been removed. (#12986)

Feature Summary

Installer changes

  • A new, standardised lockfile feature meant for cross-package-manager compatibility (package-lock.json), and a new format and semantics for shrinkwrap. (#16441)

  • --save is no longer necessary. All installs will be saved by default. You can prevent saving with --no-save. Installing optional and dev deps is unchanged: use -D/--save-dev and -O/--save-optional if you want them saved into those fields instead. Note that since npm@3, npm will automatically update npm-shrinkwrap.json when you save: this will also be true for package-lock.json. (#15666)

  • Installing a package directory now ends up creating a symlink and does the Right Thing™ as far as saving to and installing from the package lock goes. If you have a monorepo, this might make things much easier to work with, and probably a lot faster too. 😁 (#15900)

  • Project-level (toplevel) preinstall scripts now run before anything else, and can modify node_modules before the CLI reads it.

  • Two new scripts have been added, prepack and postpack, which will run on both npm pack and npm publish, but NOT on npm install (without arguments). Combined with the fact that prepublishOnly is run before the tarball is generated, this should round out the general story as far as putzing around with your code before publication.

  • Git dependencies with prepare scripts will now have their devDependencies installed, and their prepare script executed as if under npm pack.

  • Git dependencies now support semver-based matching: npm install git://github.com/npm/npm#semver:^5 (#15308, #15666)

  • node-gyp now supports node-gyp.cmd on Windows (#14568)

  • npm no longer blasts your screen with the whole installed tree. Instead, you'll see a summary report of the install that is much kinder on your shell real-estate. Specially for large projects. (#15914):

$ npm install
npm added 125, removed 32, updated 148 and moved 5 packages in 5.032s.
$

  • --parseable and --json now work more consistently across various commands, particularly install and ls.

  • Indentation is now detected and preserved for package.json, package-lock.json, and npm-shrinkwrap.json. If the package lock is missing, it will default to package.json's current indentation.

Publishing

Cache Rewrite!

We've been talking about rewriting the cache for a loooong time. So here it is. Lots of exciting stuff ahead. The rewrite will also enable some exciting future features, but we'll talk about those when they're actually in the works. #15666 is the main PR for all these changes. Additional PRs/commits are linked inline.

  • Package metadata, package download, and caching infrastructure replaced.

  • It's a bit faster. Hopefully it will be noticeable. 🤔

  • With the shrinkwrap and package-lock changes, tarballs will be looked up in the cache by content address (and verified with it).

  • Corrupted cache entries will automatically be removed and re-fetched on integrity check failure.

  • npm CLI now supports tarball hashes with any hash function supported by Node.js. That is, it will use sha512 for tarballs from registries that send a sha512 checksum as the tarball hash. Publishing with sha512 is added by npm/npm-registry-client#157 and may be backfilled by the registry for older entries.

  • Remote tarball requests are now cached. This means that even if you're missing the integrity field in your shrinkwrap or package-lock, npm will be able to install from the cache.

  • Downloads for large packages are streamed in and out of disk. npm is now able to install packages of """any""" size without running out of memory. Support for publishing them is pending (due to registry limitations).

  • Automatic fallback-to-offline mode. npm will seamlessly use your cache if you are offline, or if you lose access to a particular registry (for example, if you can no longer access a private npm repo, or if your git host is unavailable).

  • A new --prefer-offline option will make npm skip any conditional requests (304 checks) for stale cache data, and only hit the network if something is missing from the cache.

  • A new --prefer-online option that will force npm to revalidate cached data (with 304 checks), ignoring any staleness checks, and refreshing the cache with revalidated, fresh data.

  • A new --offline option will force npm to use the cache or exit. It will error with an ENOTCACHED code if anything it tries to install isn't already in the cache.

  • A new npm cache verify command that will garbage collect your cache, reducing disk usage for things you don't need (-handwave-), and will do full integrity verification on both the index and the content. This is also hooked into npm doctor as part of its larger suite of checking tools.

  • The new cache is very fault tolerant and supports concurrent access.

    • Multiple npm processes will not corrupt a shared cache.
    • Corrupted data will not be installed. Data is checked on both insertion and extraction, and treated as if it were missing if found to be corrupted. I will literally bake you a cookie if you manage to corrupt the cache in such a way that you end up with the wrong data in your installation (installer bugs notwithstanding).
    • npm cache clear is no longer useful for anything except clearing up disk space.

  • Package metadata is cached separately per registry and package type: you can't have package name conflicts between locally-installed packages, private repo packages, and public repo packages. Identical tarball data will still be shared/deduplicated as long as their hashes match.

  • HTTP cache-related headers and features are "fully" (lol) supported for both metadata and tarball requests -- if you have your own registry, you can define your own cache settings the CLI will obey!

  • prepublishOnly now runs before the tarball to publish is created, after prepare has run.

Commits

The new version differs by 225 commits.

  • 39495d0 5.0.0
  • 0d91907 doc: update changelog for npm@5.0.0
  • 8a173da docs: END OF AN ERA OF CHANGELOGS 😭
  • 794c10e pkglock: remove packageIntegrity field of doom
  • 674004c lifecycle: added prepack and postpack (#16725)
  • db76632 cacache@9.2.5
  • 0d35975 preinstall: Runs in the final dest, not the staging folder
  • a976fa1 pacote: more alwaysAuth logic
  • 046f967 pacote: decode password before passing it on
  • 0d40bf3 ls: Nothing is extraneous without a package.json
  • da7bbb2 install: allow parseable output for nodes w/o paths
  • 1ea953a test: gently-rm-linked-module: Cleanup output
  • 4c99147 remove-deps: Update dependencies list even if we're not saving
  • 72ce47c pacote: look for always-auth too
  • 1ab8c41 pacote: send username/password auth through, too

There are 225 commits in total.

See the full diff

Not sure how things should work exactly? There is a collection of [frequently asked questions](https://greenkeeper.io/faq.html) and of course you may always [ask my humans](https://github.com/greenkeeperio/greenkeeper/issues/new).

Your Greenkeeper Bot :palm_tree:

greenkeeper[bot] commented 7 years ago

Version 5.0.2 just got published.

Update to this version instead 🚀

Release Notes v5.0.2

v5.0.2 (2017-06-02)

Here's another patch release, soon after the other!

This particular release includes a slew of fixes to npm's git support, which was causing some issues for a chunk of people, specially those who were using self-hosted/Enterprise repos. All of those should be back in working condition now.

There's another shiny thing you might wanna know about: npm has a Canary release now! The npm5 experiment we did during our beta proved to be incredibly successful: users were able to have a tight feedback loop between reports and getting the bugfixes they needed, and the CLI team was able to roll out experimental patches and have the community try them out right away. So we want to keep doing that.

From now on, you'll be able to install the 'npm canary' with npm i -g npmc. This release will be a separate binary (npmc. Because canary. Get it?), which will update independently of the main CLI. Most of the time, this will track release-next or something close to it. We might occasionally toss experimental branches in there to see if our more adventurous users run into anything interesting with it. For example, the current canary (npmc@5.0.1-canary.6) includes an experimental multiproc branch that parallelizes tarball extraction across multiple processes.

If you find any issues while running the canary version, please report them and let us know it came from npmc! It would be tremendously helpful, and finding things early is a huge reason to have it there. Happy hacking!

A NOTE ABOUT THE ISSUE TRACKER

Just a heads up: We're preparing to do a massive cleanup of the issue tracker. It's been a long time since it was something we could really keep up with, and we didn't have a process for dealing with it that could actually be sustainable.

We're still sussing the details out, and we'll talk about it more when we're about to do it, but the plan is essentially to close old, abandoned issues and start over. We will also add some automation around issue management so that things that we can't keep up with don't just stay around forever.

Stay tuned!

GIT YOLO

  • 1f26e9567 pacote@2.7.27: Fixes installing committishes that look like semver, even though they're not using the required #semver: syntax. (@zkat)
  • 85ea1e0b9 npm-package-arg@5.1.1: This includes the npa git-parsing patch to make it so non-hosted SCP-style identifiers are correctly handled. Previously, npa would mangle them (even though hosted-git-info is doing the right thing for them). (@zkat)

COOL NEW OUTPUT

The new summary output has been really well received! One downside that reared its head as more people used it, though, is that it doesn't really tell you anything about the toplevel versions it installed. So, if you did npm i -g foo, it would just say "added 1 package". This patch by @rmg keeps things concise while still telling you what you got! So now, you'll see something like this:

$ npm i -g foo bar
+ foo@1.2.3
+ bar@3.2.1
added 234 packages in .005ms
  • 362f9fd5b #16899 For every package that is given as an argument to install, print the name and version that was actually installed. (@rmg)

OTHER BUGFIXES

DOC UPATES

  • 89e0cb816 #16818 Fixes a spelling error in the docs. Because the CLI team has trouble spelling "package", I guess. (@ankon)
  • c01fbc46e #16895 Remove --save from npm init instructions, since it's now the default. (@jhwohlgemuth)
  • 80c42d218 Guard against cycles when inflating bundles, as symlinks are bundles now. (@iarna)
  • 7fe7f8665 #16674 Write the builtin config for npmc, not just npm. This is hardcoded for npm self-installations and is needed for Canary to work right. (@zkat)

DEP UPDATES

Commits

The new version differs by 15 commits.

  • d654a8e 5.0.2
  • 00878e5 update AUTHORS
  • 90a25f6 doc: update changelog for npm@5.0.2
  • a6f7a52 aproba@1.1.2
  • 37b85db install: bikeshed new package output
  • 362f9fd install: print spec for each requested package (#16899)
  • 7fe7f86 build: get npm to write the builtin config even if npm binary name changes
  • 85ea1e0 npm-package-arg@5.1.1
  • 5bb15c3 read-package-tree@5.1.6
  • 80c42d2 inflate-bundled: Guard against cycles, as symlinks are bundles now
  • 63df4fc node-gyp@3.6.2
  • c01fbc4 docs: remove --save from npm init instructions (#16895)
  • 89e0cb8 docs: fix package typo (#16818)
  • a47593a inflate-shrinkwrap: fix installing with --no-shrinkwrap (#16835)
  • 1f26e95 pacote@2.7.27

See the full diff

greenkeeper[bot] commented 7 years ago

Version 5.0.3 just got published.

Update to this version instead 🚀

Release Notes v5.0.3

Happy Monday, y'all! We've got another npm release for you with the fruits of our ongoing bugsquashing efforts. You can expect at least one more this week, but probably more -- and as we announced last week, we'll be merging fixes more rapidly into the npmc canary so you can get everything as soon as possible!

Hope y'all are enjoying npm5 in the meantime, and don't hesitate to file issues for anything you find! The goal is to get this release rock-solid as soon as we can. 💚

  • 6e12a5cc0 Bump several dependencies to get improvements and bugfixes:
    • cacache: content files (the tarballs) are now read-only.
    • pacote: fix failing clones with bad heads, send extra TLS-related opts to proxy, enable global auth configurations and _auth-based auth.
    • ssri: stop crashing with can't call method find of undefined when running into a weird opts.integrity/opts.algorithms conflict during verification.
      (@zkat)
  • 89cc8e3e1 #16917 Send ca, cert and key config through to network layer. (@colinrotherham)
  • 6a9b51c67 #16929 Send npm-session header value with registry requests again. (@zarenner)
  • 662a15ab7 Fix npm doctor so it stop complaining about read-only content files in the cache. (@zkat)
  • 191d10a66 #16918 Clarify prepublish deprecation message. (@Hirse)
Commits

The new version differs by 11 commits.

  • fb8de0d 5.0.3
  • cd3886a update AUTHORS
  • 758942c doc: update changelog for npm@5.0.3
  • 662a15a doctor: new cacache sets content files to be read-only
  • 346cb00 standard: fixing linting issues
  • 89cc8e3 pacote: send certificate authority, cert and key config through (#16917)
  • 191d10a docs: fix up prepublish deprecation message
  • 6e12a5c deps: bump cacache, pacote, ssri, readable-stream, safe-buffer
  • 0b9fc56 ci: add node 8 to travis (#16934)
  • b66b5bb ci: add node 8 to appveyor.yml (#16935)
  • 6a9b51c pacote: Generate and pass npm-session header value to pacote (#16929)

See the full diff

greenkeeper[bot] commented 7 years ago

Version 5.0.4 just got published.

Update to this version instead 🚀

Release Notes v5.0.4

v5.0.4 (2017-06-13):

Hey y'all. This is another minor patch release with a variety of little fixes we've been accumulating~

  • f0a37ace9 Fix npm doctor when hitting registries without ping. (@zkat)
  • 64f0105e8 Fix invalid format error when setting cache-related headers. ([@kat Marchán](https://github.com/Kat Marchán))
  • d2969c80e Fix spurious EINTEGRITY issue. (@zkat)
  • 800cb2b4e #17076 Use legacy from field to improve upgrade experience from legacy shrinkwraps and installs. (@zkat)
  • 4100d47ea #17007 Restore loose semver parsing to match older npm behavior when running into invalid semver ranges in dependencies. (@zkat)
  • 35316cce2 #17005 Emulate npm@4's behavior of simply marking the peerDep as invalid, instead of crashing. (@zkat)
  • e7e8ee5c5 #16937 Workaround for separate bug where requested was somehow null. (@forivall)
  • 2d9629bb2 Better logging output for git errors. (@zkat)
  • 2235aea73 More scp-url fixes: parsing only worked correctly when a committish was present. (@zkat)
  • 80c33cf5e Standardize package permissions on tarball extraction, instead of using perms from the tarball. This matches previous npm behavior and fixes a number of incompatibilities in the wild. (@zkat)
  • 2b1e40efb Limit shallow cloning to hosts which are known to support it. (@zkat)
Commits

The new version differs by 16 commits.

  • d2b4744 5.0.4
  • bf30a8d update AUTHORS
  • a5384a3 doc: update changelog for npm@5.0.4
  • 2b1e40e git: bump pacote for git shallow clone fix
  • 80c33cf extract: force standardized perms like npm used to
  • 2235aea git: use latest npa for more scp url fixes
  • 2d9629b pacote: pull in new version with better git logging
  • e7e8ee5 shrinkwrap: quick fix for possibility that req is sometimes null (#16937)
  • 35316cc deps: ignore npa.resolve error from parsing peerDeps (#17005)
  • 4100d47 deps: use relaxed semver range matching for compatibility (#17007)
  • 800cb2b shrinkwrap: lean on from field for better forward-compat (#17076)
  • d2969c8 pacote: (hopefully) fix integrity-related issue
  • 64f0105 deps: bump pacote to fix local-cache header issue
  • bfe44d4 commands: mix it up a bit (#17001)
  • f0a37ac doctor: ignore errors from ping()

There are 16 commits in total.

See the full diff

greenkeeper[bot] commented 7 years ago

Version 5.0.4 just got published.

Update to this version instead 🚀

Release Notes v5.0.4

Hey y'all. This is another minor patch release with a variety of little fixes we've been accumulating~

  • f0a37ace9 Fix npm doctor when hitting registries without ping. (@zkat)
  • 64f0105e8 Fix invalid format error when setting cache-related headers. ([@kat Marchán](https://github.com/Kat Marchán))
  • d2969c80e Fix spurious EINTEGRITY issue. (@zkat)
  • 800cb2b4e #17076 Use legacy from field to improve upgrade experience from legacy shrinkwraps and installs. (@zkat)
  • 4100d47ea #17007 Restore loose semver parsing to match older npm behavior when running into invalid semver ranges in dependencies. (@zkat)
  • 35316cce2 #17005 Emulate npm@4's behavior of simply marking the peerDep as invalid, instead of crashing. (@zkat)
  • e7e8ee5c5 #16937 Workaround for separate bug where requested was somehow null. (@forivall)
  • 2d9629bb2 Better logging output for git errors. (@zkat)
  • 2235aea73 More scp-url fixes: parsing only worked correctly when a committish was present. (@zkat)
  • 80c33cf5e Standardize package permissions on tarball extraction, instead of using perms from the tarball. This matches previous npm behavior and fixes a number of incompatibilities in the wild. (@zkat)
  • 2b1e40efb Limit shallow cloning to hosts which are known to support it. (@zkat)
Commits

The new version differs by commits.

See the full diff

greenkeeper[bot] commented 7 years ago

Version 5.1.0 just got published.

Update to this version instead 🚀

Release Notes v5.1.0

Hey y'all~

We've got some goodies for you here, including npm@5's first semver-minor release! This version includes a huge number of fixes, particularly for some of the critical bugs users were running into after upgrading npm. You should overall see a much more stable experience, and we're going to continue hacking on fixes for the time being. Semver-major releases, specially for tools like npm, are bound to cause some instability, and getting npm@5 stable is the CLI team's top priority for now!

Not that bugfixes are the only things that landed, either: between improvements that fell out of the bugfixes, and some really cool work by community members like @mikesherov, npm@5.1.0 is twice as fast as npm@5.0.0 in some benchmarks. We're not stopping there, either: you can expect a steady stream of speed improvements over the course of the year. It's not top priority, but we'll keep doing what we can to make sure npm saves its users as much time as possible.

Hang on to your seats. At 100 commits, this release is a bit of a doozy. 😎

FEATURES

Semver-minor releases, of course, mean that there's a new feature somewhere, right? Here's what's bumping that number for us this time:

  • a09c1a69d #16687 Allow customizing the shell used to execute run-scripts. (@mmkal)
  • 4f45ba222 a48958598 901bef0e1 #17508 Add a new requires field to package-lock.json with information about the logical dependency tree. This includes references to the specific version each package is intended to see, and can be used for many things, such as converting package-lock.json to other lockfile formats, various optimizations, and verifying correctness of a package tree. (@iarna)
  • 47e8fc8eb #17508 Make npm ls take package locks (and shrinkwraps) into account. This means npm ls can now be used to see which dependencies are missing, so long as a package lock has been previously generated with it in. (@iarna)
  • f0075e7ca #17508 Take package.json changes into account when running installs -- if you remove or add a dependency to package.json manually, npm will now pick that up and update your tree and package lock accordingly. (@iarna)
  • 83a5455aa #17205 Add npm udpate as an alias for npm update, for symmetry with install/isntall. (@gdassori)
  • 57225d394 #17120 npm will no longer warn about preferGlobal, and the option is now deprecated. (@zkat)
  • 82df7bb16 #17351 As some of you may already know npm build doesn't do what a lot of people expect: It's mainly an npm plumbing command, and is part of the more familiar npm rebuild command. That said, a lot of users assume that this is the way to run an npm run-script named build, which is an incredibly common script name to use. To clarify things for users, and encourage them to use npm run build instead, npm will now warn if npm build is run without any arguments. (@lennym)

PERFORMANCE

  • 59f86ef90 43be9d222 e906cdd98 #16633 npm now parallelizes tarball extraction across multiple child process workers. This can significantly speed up installations, specially when installing from cache, and will improve with number of processors. (@zkat)
  • e0849878d #17441 Avoid building environment for empty lifecycle scripts. This change alone accounted for as much as a 15% speed boost for npm installations by outright skipping entire steps of the installer when not needed. (@mikesherov)
  • 265c2544c npm/hosted-git-info#24 hosted-git-info@2.5.0: Add caching to fromURL, which gets called many, many times by the installer. This improved installation performance by around 10% on realistic application repositories. (@mikesherov)
  • 901d26cb npm/read-package-json#20 read-package-json@2.0.9: Speed up installs by as much as 20% by reintroducing a previously-removed cache and making it actually be correct this time around. (@mikesherov)
  • 44e37045d Eliminate Bluebird.promisifyAll from our codebase. (@iarna)
  • 3b4681b53 #17508 Stop calling addBundle on locked deps, speeding up the package-lock.json-based fast path. (@iarna)

BUGFIXES

  • #17508 This is a big PR that fixes a variety of issues when installing from package locks. If you were previously having issues with missing dependencies or unwanted removals, this might have fixed it (@iarna):
    • It introduces a new package-lock.json field, called requires, which tracks which modules a given module requires.
    • It fixes #16839 which was caused by not having this information available, particularly when git dependencies were involved.
    • It fixes #16866, allowing the package.json to trump the package-lock.json.
    • npm ls now loads the shrinkwrap, which opens the door to showing a full tree of dependencies even when nothing is yet installed. (It doesn't do that yet though.)
  • 656544c31 d21ab57c3 #16637 Fix some cases where npm prune was leaving some dependencies unpruned if to-be-pruned dependencies depended on them. (@exogen)
  • 394436b09 #17552 Make refresh-package-json re-verify the package platform. This fixes an issue most notably experienced by Windows users using create-react-app where fsevents would not short-circuit and cause a crash during its otherwise-skipped native build phase. (@zkat)
  • 9e5a94354 #17590 Fix an issue where npm@5 would crash when trying to remove packages installed with npm@<5. (@iarna)
  • c3b586aaf #17141 Don't update the package.json when modifying packages that don't go there. This was previously causing package.json to get a "false": {} field added. (@iarna)
  • d04a23de2 4a5b360d5 d9e53db48 pacote@2.7.38 (@colinrotherham, @zkat, @mcibique):
    • zkat/pacote#102 Fix issue with tar extraction and special characters.
    • Enable loose semver parsing in some missing corner cases.
  • e2f815f87 #17104 Write an empty str and wait for flush to exit to reduce issues with npm exiting before all output is complete when it's a child process. (@zkat)
  • 835fcec60 #17060 Make git repos with prepare scripts always install with both dev and prod flags. (@intellix)
  • f1dc8a175 #16879 Fix support for always-auth and _auth. They are now both available in both unscoped and registry-scoped configurations. (@jozemlakar)
  • ddd8a1ca2 Serialize package specs to prevent [object Object] showing up in logs during extraction. (@zkat)
  • 99ef3b52c #17505 Stop trying to commit updated npm-shrinkwrap.json and package-lock.json if they're .gitignored. (@zkat)
  • 58be2ec59 Make sure uid and gid are getting correctly set even when they're 0. This should fix some Docker-related issues with bad permissions/broken ownership. (@rgrove)
    (@zkat)
  • 9d1e3b6fa #17506 Skip writing package.json and locks if on-disk version is identical to the new one. (@zkat)
  • 3fc6477a8 #17592 Fix an issue where npm install -g . on a package with no name field would cause the entire global node_modules directory to be replaced with a symlink to $CWD. lol. (@iarna)
  • 06ba0a14a #17591 Fix spurious removal reporting: if you tried to remove something that didn't actually exist, npm would tell you it removed 1 package even though there wasothing to do. (@iarna)
  • 20ff05f8 #17629 When removing a link, keep dependencies installed inside of it instead of removing them, if the link is outside the scope of the current project. This fixes an issue where removing globally-linked packages would remove all their dependencies in the source directory, as well as some ergonomic issues when using links in other situations. (@iarna)

DOCS

MISC

Not all contributions need to be visible features, docs, or bugfixes! It's super helpful when community members go over our code and help clean it up, too!

Commits

The new version differs by 102 commits.

  • 24ec9f2 5.1.0
  • 8cefdc3 update AUTHORS
  • db0a2f8 doc: update changelog for npm@5.1.0
  • 20ff05f remove: Make file: spec/link removal match specification
  • 993f673 config: remove old comment (#17600)
  • a09c1a6 run-script: allow custom shell (#16687)
  • 7d65004 config: refactor to use Object.assign (#17563)
  • 9e5a943 install/deps: Compute required package in legacy npm compatible way (#17590)
  • 06ba0a1 install: fix spurious removal reporting (#17591)
  • 3fc6477 validate-args: Check for name and version (#17592)
  • d4df17a test: Remove extra blank line from prune-dev-dep-cycle
  • 74924de prune: Remove extraneous code
  • 1e56f49 save: Remove extraneous module
  • 394436b actions: make refresh-package-json re-verify the package platform (#17552)
  • d21ab57 prune: Fix unpruned and incorrectly pruned dependencies

There are 102 commits in total.

See the full diff

greenkeeper[bot] commented 7 years ago

Version 5.2.0 just got published.

Update to this version instead 🚀

Release Notes v5.2.0 (2017-07-05)

It's only been a couple of days but we've got some bug fixes we wanted to get out to you all. We also believe that npx is ready to be bundled with npm, which we're really excited about!

npx!!!

npx is a tool intended to help round out the experience of using packages from the npm registry — the same way npm makes it super easy to install and manage dependencies hosted on the registry, npx is meant to make it easy to use CLI tools and other executables hosted on the registry. It greatly simplifies a number of things that, until now, required a bit of ceremony to do with plain npm.

@zkat has a great introduction post to npx that I highly recommend you give a read

BUG FIXES

  • 9fe905c39 #17652 Fix max callstack exceeded loops with trees with circular links. (@iarna)
  • c0a289b1b #17606 Make sure that when write package.json and package-lock.json we always use unix path separators. (@Standard8)
  • 1658b79ca #17654 Make npm outdated show results for globals again. Previously it never thought they were out of date. (@iarna)
  • 06c154fd6 #17678 Stop flattening modules that have peer dependencies. We're making this change to support scenarios where the module requiring a peer dependency is flattened but the peer dependency itself is not, due to conflicts. In those cases the module requiring the peer dep can't be flattened past the location its peer dep was placed in. This initial fix is naive, never flattening peer deps, and we can look into doing something more sophisticated later on. (@iarna)
  • 88aafee8b #17677 There was an issue where updating a flattened dependency would sometimes unflatten it. This only happened when the dependency had dependencies that in turn required the original dependency. (@iarna)
  • b58ec8eab #17626 Integrators who were building their own copies of npm ran into issues because make install and https://npmjs.com/install.sh weren't aware that npm install creates links now when given a directory to work on. This does not impact folks installing npm with npm install -g npm. (@iarna)

DOC FIXES

Commits

The new version differs by 22 commits.

  • cd804f6 5.2.0
  • 055fd28 update AUTHORS
  • 66ff2ca doc: Changelog for 5.2.0
  • fb040be npx: bundle npx with npm itself
  • 88aafee install: Fix deps getting moved on update
  • 06c154f install/deps: Stop flattening modules that require peer deps
  • 1658b79 outdated: Show results for globals again
  • c0a289b install: fix package.json and package-lock.json to use unix style paths
  • f11c45b worker-farm@1.4.1
  • d24a06e readable-stream@2.3.3
  • 3e4470f read-package-json@2.0.10
  • 9fe905c install: fix max callstack exceeded loops with links
  • b2b0373 standard: Make happy
  • 59ce7c0 travis: Run standard on one of the node versions
  • bfaeb26 travis: Stop caching node_modules

There are 22 commits in total.

See the full diff

greenkeeper[bot] commented 7 years ago

Version 5.3.0 just got published.

Update to this version instead 🚀

Release Notes v5.3.0

As mentioned before, we're continuing to do relatively rapid, smaller releases as we keep working on stomping out npm@5 issues! We've made a lot of progress since 5.0 already, and this release is no exception.

FEATURES

  • 1e3a46944 #17616 Add --link filter option to npm ls. (@richardsimko)
  • 33df0aaa libnpx@9.2.0 (@zkat):
    • 4 new languages - Czech, Italian, Turkish, and Chinese (Traditional)! This means npx is available in 14 different languages!
    • New --node-arg option lets you pass CLI arguments directly to node when the target binary is found to be a Node.js script.

BUGFIXES

  • 33df0aaa
    libnpx@9.2.0 (@zkat):
    • npx should now work on (most) Windows installs. A couple of issues remain.
    • Prevent auto-fallback from going into an infinite loop when npx disappears.
    • npx npx npx npx npx npx npx npx works again.
    • update-notifier will no longer run for the npx bundled with npm.
    • npx <cmd> in a subdirectory of your project should be able to find your node_modules/.bin now. Oops
  • 8e979bf80 Revert change where npm stopped flattening modules that required peerDeps. This caused problems because folks were using peer deps to indicate that the target of the peer dep needed to be able to require the dependency and had been relying on the fact that peer deps didn't change the shape of the tree (as of npm@3). The fix that will actually work for people is for a peer dep to insist on never being installed deeper than the the thing it relies on. At the moment this is tricky because the thing the peer dep relies on may not yet have been added to the tree, so we don't know where it is. (@iarna)
  • 7f28a77f3 #17733 Split remove and unbuild actions into two to get uninstall lifecycles and the removal of transitive symlinks during uninstallation to run in the right order. (@iarna)
  • 637f2548f #17748 When rolling back use symlink project-relative path, fixing some issues with fs-vacuum getting confused while removing symlinked things. (@iarna)
  • f153b5b22 #17706 Use semver to compare node versions in npm doctor instead of plain > comparison. (@leo-shopify)
  • 542f7561 #17742 Fix issue where npm version would sometimes not commit package-locks. (@markpeterfejes)
  • 51a9e63d #17777 Fix bug exposed by other bugfixes where the wrong package would be removed. (@iarna)

DOCUMENTATION

Have we mentioned we really like documentation patches? Keep sending them in! Small patches are just fine, and they're a great way to get started contributing to npm!

Commits

The new version differs by 18 commits.

  • 75b462c 5.3.0
  • f13e1fb update AUTHORS
  • 2fdc7b7 doc: update changelog for npm@5.3.0
  • 33df0aa libnpx@9.2.0
  • 51a9e63 decompose-actions: Update should remove the OLD pkg, add the new (#17777)
  • 41a0943 test: Unbuild actions happen in reverse now, not remove (#17776)
  • 542f756 version: Fixed lockfiles not being added to the commit (#17742)
  • f153b5b doctor: Use semver to compare node versions in npm doctor (#17706)
  • d5ad65e docs: add --no-save flag for uninstall (#17691)
  • f398c70 docs: tweak heading hierarchy in package.json docs (#17684)
  • fb42d55 docs: Document semver git urls in package.json docs. (#17728)
  • 637f254 finalize: When rolling back use symlink project-relative path (#17748)
  • 45f49bb libnpx@9.1.0
  • 7f28a77 action: Split remove and unbuild actions into two (#17733)
  • 1e3a469 ls: add --link filter (#17616)

There are 18 commits in total.

See the full diff

greenkeeper[bot] commented 7 years ago

Version 5.4.0 just got published.

Update to this version instead 🚀

Release Notes v5.4.0

Here's another small big release, with a handful bunch of fixes and a couple of small new features! This release has been incubating rather longer than usual and it's grown quite a bit in that time. I'm also excited to say that it has contributions from 27 different folks, which is a new record for us. Our previous record was 5.1.0 at 21. Before that the record had been held by 1.3.16 since December of 2013.

chart of contributor counts by version, showing an increasing rate over time and spikes mid in the 1.x series and later at 5.x

If you can't get enough of the bleeding edge, I encourage you to check out our canary release of npm. Get it with npm install -g npmc. It's going to be seeing some exciting stuff in the next couple of weeks, starting with a rewriten npm dedupe, but moving on to… well, you'll just have to wait and find out.

PERFORMANCE

  • d080379f6 pacote@6.0.1 Updates extract to use tar@4, which is much faster than the older tar@2. It reduces install times by as much as 10%. (@zkat)
  • 4cd6a1774 0195c0a8c #16804 tar@4.0.1 Update publish to use tar@4. tar@4 brings many advantages over tar@2: It's faster, better tested and easier to work with. It also produces exactly the same byte-for-byte output when producing tarballs from the same set of files. This will have some nice carry on effects for things like caching builds from git. And finally, last but certainly not least, upgrading to it also let's us finally eliminate fstream—if you know what that is you'll know why we're so relieved. (@isaacs)

FEATURES

  • 1ac470dd2 #10382 If you make a typo when writing a command now, npm will print a brief "did you mean..." message with some possible alternatives to what you meant. (@watilde)
  • 20c46228d #12356 When running lifecycle scripts, INIT_CWD will now contain the original working directory that npm was executed from. Remember that you can use npm run-script even if you're not inside your package root directory! (@MichaelQQ)
  • be91e1726 4e7c41f4a libnpx@9.6.0: Fixes a number of issues on Windows and adds support for several more languages: Korean, Norwegian (bokmål and nynorsk), Ukrainian, Serbian, Bahasa Indonesia, Polish, Dutch and Arabic. (@zkat)
  • 2dec601c6 #17142 Add the new commit-hooks option to npm version so that you can disable commit hooks when committing the version bump. (@faazshift)
  • bde151902 #14461 Make output from npm ping clear as to its success or failure. (@legodude17)

BUGFIXES

  • b6d5549d2 #17844 Make package-lock.json sorting locale-agnostic. Previously, sorting would vary by locale, due to using localeCompare for key sorting. This'll give you a little package-lock.json churn as it reshuffles things, sorry! (@LotharSee)
  • 44b98b9dd #17919 Fix a crash where npm prune --production would fail while removing .bin. (@fasterthanlime)
  • c3d1d3ba8 #17816 Fail more smoothly when attempting to install an invalid package name. (@SamuelMarks)
  • 55ac2fca8 #12784 Guard against stack overflows when marking packages as failed. (@vtravieso)
  • 597cc0e4b #15087 Stop outputting progressbars or using color on dumb terminals. (@iarna)
  • 7a7710ba7 #15088 Don't exclude modules that are both dev & prod when using npm ls --production. (@iarna)
  • 867df2b02 #18164 Only do multiple procs on OSX for now. We've seen a handful of issues relating to this in Docker and in on Windows with antivirus. (@zkat)
  • 23540af7b #18117 Some package managers would write spaces to the _from field in package.json's in the form of name @spec. This was causing npm to fail to interpret them. We now handle that correctly and doubly make sure we don't do that ourselves. (@IgorNadj)
  • 0ef320cb4 #16634 Convert any bin script with a shbang a the start to Unix line-endings. (These sorts of scripts are not compatible with Windows line-endings even on Windows.) (@ScottFreeCode)
  • 71191ca22 #16476 npm-lifecycle@1.0.2 Running an install with --ignore-scripts was resulting in the the package object being mutated to have the lifecycle scripts removed from it and that in turn was being written out to disk, causing further problems. This fixes that: No more mutation, no more unexpected changes. (@addaleax)
  • 459fa9d51 npm/read-package-json#74 #17802 read-package-json@2.0.1 Use unix-style slashes for generated bin entries, which lets them be cross platform even when produced on Windows. (@iarna)
  • 5ec72ab5b #18229 Make install.sh find nodejs on debian. (@cebe)

DOCUMENTATION

POSSIBLY INTERESTING DEPENDENCY UPDATES

  • 48d84171a f60b05d63 semver@5.4.1 Perf improvements. (@zkat)
  • f4650b5d4 write-file-atomic@2.3.0: Serialize writes to the same file so that results are deterministic. Cleanup tempfiles when process is interrupted or killed. (@ferm10n) (@iarna)

CHORES

  • 96d78df98 80e2f4960 4f49f687b 07d2296b1 a267ab430 #18176 #18025 Move the lifecycle code out of npm into a separate library, npm-lifecycle. Shh, I didn't tell you this, but this portends to some pretty cool stuff to come very soon now. (@mikesherov)
  • 0933c7eaf #18025 Force Travis to use Precise instead of Trusty. We have issues with our couchdb setup and Trusty. =/ (@mikesherov)
  • afb086230 #18138 Fix typos in files-and-ignores test. (@supertong)
  • 3e6d11cde #18175 Update dependencies to eliminate transitive dependencies with the WTFPL license, which some more serious corporate lawyery types aren't super comfortable with. (@zkat)
  • ee4c9bd8a #16474 The tests in test/tap/lifecycle-signal.js, as well as the features they are testing, are partially broken. This moves them from being skipped in CI to being disabled only for certain platforms. In particular, because npm spawns its lifecycle scripts in a shell, signals are not necessarily forwarded by the shell and won’t cause scripts to exit; also, shells may report the signal they receive using their exit status, rather than terminating themselves with a signal. (@addaleax)
  • 9462e5d9c #16547 Remove unused file: bin/read-package-json.js (@metux)
  • 0756d687d #16550 The build tools for the documentation need to be built/installed before the documents, even with parallel builds. Make has a simple mechanism which was made exactly for that: target dependencies. (@metux)
Commits

The new version differs by 67 commits.

  • 8367a4c 5.4.0
  • 1f96de0 update AUTHORS
  • 219589a doc: update changelog for npm@5.4.0
  • 761577e test: test no-global-warns: Use clean env, allow prerelease node warning
  • ba69f9e test: git-npmignore, don't look for .npmignore
  • eccf770 test: ignore files ignored by default, default ignores are overridable
  • 3dcd4b8 test: non-array bundledDependencies are handled without warnings
  • e3f7c84 test: add-remote-git-submodule cleanup and more helpful errors
  • 32c1222 tar: Remove use of old tar
  • 0195c0a pack: Use new tar
  • 7ef0d28 fstream@REMOVE
  • c7e10f2 npm-packlist@1.1.8
  • 4cd6a17 tar@4.0.1
  • 1544230 test: make sure env doesn't interfere with commit hooks test
  • 4f70561 test: make optional-metadep-rollback-collision use mocks, less weird server

There are 67 commits in total.

See the full diff

greenkeeper[bot] commented 7 years ago

Version 5.4.1 just got published.

Update to this version instead 🚀

Release Notes v5.4.1

v5.4.1 (2017-09-06):

This is a very small bug fix release to fix a problem where permissions on installed binaries were being set incorrectly.

Commits

The new version differs by 4 commits.

See the full diff

greenkeeper[bot] commented 7 years ago

Version 5.4.2 just got published.

Update to this version instead 🚀

Release Notes v5.4.2

This is a small bug fix release wrapping up most of the issues introduced with 5.4.0.

Bugs

  • 0b28ac72d #18458 Fix a bug on Windows where rolling back of failed optional dependencies would fail. (@marcins)
  • 3a1b29991 write-file-atomic@2.1.0 Revert update of write-file-atomic. There were changes made to it that were resulting in EACCES errors for many users. (@iarna)
  • cd8687e12 Fix a bug where if npm decided it needed to move a module during an upgrade it would strip out much of the package.json. This would result in broken trees after package updates.
  • 5bd0244ee #18385 Fix npm outdated when run on non-registry dependencies. (@joshclow) (@iarna)

Ux

  • 339f17b1e Report unsupported node versions with greater granularity. (@iarna)

Docs

Commits

The new version differs by 13 commits.

  • 20589f4 5.4.2
  • f4e267f update AUTHORS
  • 2eef82c doc: changelog for 5.4.2
  • 11cadb6 move: Cleanup standard violation
  • a537064 unsupported: Update test matrix
  • e5aedcd doc: In npm-config, note that env vars use _ in place of -.
  • b2ab6f4 doc: add "notice" loglevel and correct the default
  • 5bd0244 outdated: Use fetch-package-metadata, not cache.add
  • cd8687e move: Stop writing package.json
  • 3a1b299 write-file-atomic@2.1.0
  • 339f17b unsupported: Report unsupported node versions with greater granularity
  • 0b28ac7 install: fix bug with rollback of failed optional packages on Windows
  • e274500 travis: Remove bits that were stopping tests from running at all

See the full diff

greenkeeper[bot] commented 7 years ago

Version 5.5.1 just got published.

Update to this version instead 🚀

Release Notes v5.5.1

A very quick, record time, patch release, of a bug fix to a (sigh) last minute bug fix.

Commits

The new version differs by 26 commits.

There are 26 commits in total.

See the full diff

greenkeeper[bot] commented 6 years ago

Version 5.6.0 just got published.

Update to this version instead 🚀

Release Notes v5.6.0

Features!

You may have noticed this is a semver-minor bump. Wondering why? This is why!

  • bc263c3fd #19054 Fully cross-platform package-lock.json. Installing a failing optional dependency on one platform no longer removes it from the dependency tree, meaning that package-lock.json should now be generated consistently across platforms! 🎉 (@iarna)
  • f94fcbc50 #19160 Add --package-lock-only config option. This makes it so you can generate a target package-lock.json without performing a full install of node_modules. (@alopezsanchez)
  • 66d18280c #19104 Add new --node-options config to pass through a custom NODE_OPTIONS for lifecycle scripts. (@bmeck)
  • 114d518c7 Ignore mtime when packing tarballs: This means that doing npm pack on the same repository should yield two tarballs with the same checksum. This will also help prevent cache bloat when using git dependencies. In the future, this will allow npm to explicitly cache git dependencies. (@isaacs)

Node 9

Previously, it turns out npm broke on the latest Node, node@9. We went ahead and fixed it up so y'all should be able to use the latest npm again!

Bug Fixes

  • b70321733 #18881 When dealing with a node_modules that was created with older versions of npm (and thus older versions of npa) we need to gracefully handle older spec entries. Failing to do so results in us treating those packages as if they were http remote deps, which results in invalid lock files with version set to tarball URLs. This should now be fixed. (@iarna)
  • 2f9c5dd00 #18880 Stop overwriting version in package data on disk. This is another safeguard against the version overwriting that's plagued some folks upgrading from older package-locks. (@iarna) (@joshclow)
  • a93e0a51d #18846 Correctly save transitive dependencies when using npm update in package-lock.json. (@iarna)
  • fdde7b649 #18825 Fix typo and concatenation in error handling. (@alulsh)
  • be67de7b9 #18711 Upgrade to bearer tokens from legacy auth when enabling 2FA. (@iarna)
  • bfdf0fd39 #19033 Fix issue where files with @ signs in their names would not get included when packing tarballs. (@zkat)
  • b65b89bde #19048 Fix problem where npm login was ignoring various networking-related options, such as custom certs. (@wejendorp)
  • 8c194b86e npm-packlist@1.1.10: Include node_modules/ directories not in the root. (@isaacs)
  • d7ef6a20b libnpx@9.7.1: Fix some *nix binary path escaping issues. (@zkat)
  • 981828466 cacache@10.0.1: Fix fallback to copy-concurrently when file move fails. This might fix permissions and such issues on platforms that were getting weird filesystem errors during install. (@karolba)
  • a0be6bafb pacote@7.0.2: Includes a bunch of fixes, specially for issues around git dependencies. Shasum-related errors should be way less common now, too. (@zkat)
  • b80d650de #19163 Fix a number of git and tarball specs and checksum errors. (@zkat)
  • cac225025 #19054 Don't count failed optionals when summarizing installed packages. (@iarna)

UX

  • b1ec2885c #18326 Stop truncating output of npm view. This means, for example, that you no longer need to use --json when a package has a lot of versions, to see the whole list. (@SimenB)
  • 55a124e0a #18884 Profile UX improvements: better messaging on unexpected responses, and stop claiming we set passwords to null when resetting them. (@iarna)
  • 635481c61 #18844 Improve error messaging for OTP/2FA. (@iarna)
  • 52b142ed5 #19054 Stop running the same rollback multiple times. This should address issues where Windows users saw strange failures when fsevents failed to install. (@iarna)
  • 798428b0b #19172 bin-links@1.1.0: Log the fact line endings are being changed upon install. (@marcosscriven)

Refactors

Usually, we don't include internal refactor stuff in our release notes, but it's worth calling out some of them because they're part of a larger effort the CLI team and associates are undertaking to modularize npm itself so other package managers and associated tools can reuse all that code!

  • 9d22c96b7 #18500 Extract bin-links and gentle-fs to a separate library. This will allow external tools to do bin linking and certain fs operations in an npm-compatible way! (@mikesherov)
  • 015a7803b #18883 Capture logging from log events on the process global. This allows npm to use npmlog to report logging from external libraries like npm-profile. (@iarna)
  • c930e98ad npm-lifecycle@2.0.0: Use our own node-gyp. This means npm no longer needs to pull some maneuvers to make sure node-gyp is in the right place, and that external packages using npm-lifecycle will get working native builds without having to do their own node-gyp maneuvers. (@zkochan)
  • 876f0c8f3 829893d61 #19099 find-npm-prefix@1.0.1: npm's prefix-finding logic is now a standalone module. That is, the logic that figures out where the root of your project is if you've cd'd into a subdirectory. Did you know you can run npm install from these subdirectories, and it'll only affect the root? It works like git! (@iarna)

Docs

Dependency Bumps

Commits

The new version differs by 67 commits.

  • 5e426a7 5.6.0
  • e1ab2d1 update AUTHORS
  • 87cc9ed doc: update changelog for npm@5.6.0
  • 7ae3c4c Revert tar@4.1.0
  • 14f3be4 gentle-fs@2.0.1: fixes global force issues
  • 114d518 pack: stop including mtime so tarball packing usually results in the same sha
  • 39ba4aa tar@4.1.0
  • 2906bc6 test: fix some standard failures
  • a0be6ba pacote@7.0.2
  • 829893d config: Switch to find-npm-prefix module
  • 876f0c8 find-npm-prefix@1.0.1
  • 5dfe1c9 test: shrinkwrap-_auth: ditch hock
  • b80d650 pack/publish/install: fix git and tarball specs and checksum errors (#19163)
  • 66d1828 config: expose "node-options" passthrough for lifecycle scripts
  • 6003b41 npmrc: we can use ^ now‼

There are 67 commits in total.

See the full diff

greenkeeper[bot] commented 6 years ago

Version 5.7.1 just got published.

Update to this version instead 🚀

Release Notes v5.7.1

This release reverts a patch that could cause some ownership changes on system files when running from some directories when also using sudo. 😲

Thankfully, it only affected users running npm@next, which is part of our staggered release system, which we use to prevent issues like this from going out into the wider world before we can catch them. Users on latest would have never seen this!

The original patch was added to increase consistency and reliability of methods npm uses to avoid writing files as root in places it shouldn't, but the change was applied in places that should have used regular mkdirp`. This release reverts that patch.

Commits

The new version differs by 55 commits.

  • 8452a9d 5.7.1
  • 7dff9d6 doc: update changelog for npm@5.7.1
  • 74e149d Revert "*: Switch from mkdirp to correctMkdir to preserve perms and owners"
  • d3095ff 5.7.0
  • b3ecd3d update AUTHORS
  • c493181 doc: changelog for 5.7.0
  • 259012e install/deps: Pass our logger through to removeObsoleteDep from earliestInstallable
  • 6954dfc install: Regenerate the logical tree after loading our lockfile
  • 9bc6230 libcipm@1.3.3
  • 4f5327c auth: Add support for web-based logins
  • e7c5d22 npm-profile@3.0.1
  • 6b552da uuid@3.2.1
  • 51370aa semver@5.5.0
  • 9b6bdb2 query-string@5.1.0
  • f526992 tap@11.1.1

There are 55 commits in total.

See the full diff

greenkeeper[bot] commented 6 years ago

Version 5.8.0 just got published.

Update to this version instead 🚀

Commits

The new version differs by 53 commits.

  • ee147fb 5.8.0
  • 7d5a7ea docs: tiny changelog fixes
  • df27cdd 5.8.0-next.0
  • 9b206bb update AUTHORS
  • a571f80 doc: update changelog for npm@5.8.0
  • 58d2aa5 pack: use a specific mtime when packing (#20027)
  • 8150dd5 makefile: dont call destructive 'uninstall' on clean (#16540)
  • b2a1cf0 docs: document browser field (#18382)
  • 9847c82 error-message: more detailed message for inaccessible files. (#18384)
  • 7a87051 docs: Clarify that "files" is an exclusive list of files (#18407)
  • f0e998d config: Do replace environment in config files even for keys (#18426)
  • b57780b pack: Don't rely on entry point to be npm-cli.js (#18450)
  • d7ff071 docs: capitalize javascript cause why not (#18514)
  • d70c019 unsupported: Remove ES6 code from unsupported error logging (#18953)
  • 35c4abd docs: typo fix in coding style (#18976)

There are 53 commits in total.

See the full diff