Open greenkeeper[bot] opened 6 years ago
Update to this version instead π
b267bbbb9
npm/lockfile#29 lockfile@1.0.4
: Switches to signal-exit
to detect abnormal exits and remove locks. (@Redsandro)If a published modules had legacy npm-shrinkwrap.json
we were saving ordinary registry dependencies (name@version
) to your package-lock.json
as https://
URLs instead of versions.
89102c0d9
When saving the lock-file compute how the dependency is being required instead of using _resolved
in the package.json
. This fixes the bug that was converting registry dependencies into https://
dependencies. (@iarna)676f1239a
When encountering a https://
URL in our lockfiles that point at our default registry, extract the version and use them as registry dependencies. This lets us heal package-lock.json
files produced by 6.0.0 (@iarna)You can't use it quite yet, but we do have a few last moment patches to npm audit
to make it even better when it is turned on!
b2e4f48f5
Make sure we hide stream errors on background audit submissions. Previously some classes of error could end up being displayed (harmlessly) during installs. (@iarna)1fe0c7fea
Include session and scope in requests (as we do in other requests to the registry). (@iarna)d04656461
Exit with non-zero status when vulnerabilities are found. So you can have npm audit
as a test or prepublish step! (@iarna)fcdbcbacc
Verify lockfile integrity before running. You'd get an error either way, but this way it's faster and can give you more concrete instructions on how to fix it. (@iarna)2ac8edd42
Refuse to run in global mode. Audits require a lockfile and globals don't have one. Yet. (@iarna)3dcc240db
Timeout audit requests eventually. (@iarna)We're still a way from having node@11, so now's a good time to ensure we don't warn about being used with it.
b7fca1084
#20407 Update the lock-file spec doc to mention that we now generate the from field for git
-type dependencies. (@watilde)7a6555e61
#20408 Describe what the colors in outdated mean. (@teameh)5e56b3209
npm-audit-report@1.0.8
(@evilpacket)58a0b31b4
lock-verify@2.0.2
(@iarna)e7a8c364f
zkat/pacote#148 pacote@8.1.1
(@redonkulus)46c0090a5
tar@4.4.2
(@isaacs)8a16db3e3
update-notifier@2.5.0
(@alexccl)696375903
safe-buffer@5.1.2
(@feross)c949eb26a
query-string@6.1.0
(@sindresorhus)The new version differs by 32 commits.
1365694
6.0.1
7163421
doc: update changelog for npm@6.0.1 final
ed1aebf
unsupported: Allow node@11, when it comes
3dcc240
audit: Timeout audit requests eventually
279ef3a
6.0.1-next.0
44cad2d
update AUTHORS
b08d903
travis: Add node v10
328531a
mailmap: Update with real names
3a94056
lock-verify@2.0.2 (fix bundling)
5702175
audit: Only report audit as being unsupported on 404 and >= 500
cb560d4
doc: update changelog for npm@6.0.1
7a6555e
docs: describe what colors in outdated mean
b7fca10
docs: add from field back into git dependencies
be51b38
makefile: call cache clean with --force
2ac8edd
audit: Refuse to run in global mode
There are 32 commits in total.
See the full diff
Update to this version instead π
Look at that! A feature bump! npm@6
was super-exciting not just because it used a bigger number than ever before, but also because it included a super shiny new command: npm audit
. Well, we've kept working on it since then and have some really nice improvements for it. You can expect more of them, and the occasional fix, in the next few releases as more users start playing with it and we get more feedback about what y'all would like to see from something like this.
I, for one, have started running it (and the new subcommand...) in all my projects, and it's one of those things that I don't know how I ever functioned -without- it! This will make a world of difference to so many people as far as making the npm ecosystem a higher-quality, safer commons for all of us.
This is also a good time to remind y'all that we have a new RFCs repository, along with a new process for them. This repo is open to anyone's RFCs, and has already received some great ideas about where we can take the CLI (and, to a certain extent, the registry). It's a great place to get feedback, and completely replaces feature requests in the main repo, so we won't be accepting feature requests there at all anymore. Check it out if you have something you'd like to suggest, or if you want to keep track of what the future might look like!
npm audit fix
This is the biggie with this release! npm audit fix
does exactly what it says on the tin. It takes all the actionable reports from your npm audit
and runs the installs automatically for you, so you don't have to try to do all that mechanical work yourself!
Note that by default, npm audit fix
will stick to semver-compatible changes, so you should be able to safely run it on most projects and carry on with your day without having to track down what breaking changes were included. If you want your (toplevel) dependencies to accept semver-major bumps as well, you can use npm audit fix --force
and it'll toss those in, as well. Since it's running the npm installer under the hood, it also supports --production
and --only=dev
flags, as well as things like --dry-run
, --json
, and --package-lock-only
, if you want more control over what it does.
Give it a whirl and tell us what you think! See npm help audit
for full docs!
audit
FEATURES1854b1c7f
#20568 Add support for npm audit --json
to print the report in JSON format. (@finnp)85b86169d
#20570 Include number of audited packages in npm install
summary output. (@zkat)957cbe275
npm-audit-report@1.2.1
: Overhaul audit install and detail output format. The new format is terser and fits more closely into the visual style of the CLI, while still providing you with the important bits of information you need. They also include a bit more detail on the footer about what actions you can take! (@zkat)npm init <pkg>
!Another exciting change that came with npm@6
was the new npm init
command that allows for community-authored generators. That means you can, for example, do npm init react-app
and it'll one-off download, install, and run create-react-app
for you, without requiring or keeping around any global installs. That is, it basically just calls out to npx
.
The first version of this command only really supported registry dependencies, but now, @jdalton went ahead and extended this feature so you can use hosted git dependencies, and their shorthands.
So go ahead and do npm init facebook/create-react-app
and it'll grab the package from the github repo now! Or you can use it with a private github repository to maintain your organizational scaffolding tools or whatnot.
First introduced in 5.8.0, this finally puts to bed errors where you would occasionally see Error: write after end at MiniPass.write
.
171f3182f
node-tar#180 npm.community#35 pacote@8.1.5
: Fix write-after-end errors. (@zkat)0e1726c03
We can now determine if the commitid of a git dependency in the lockfile is derived from the specifier in the package.json and if it isn't we now trigger an update for it. (@iarna)442d2484f
2f0c88351
631d30a34
When requesting the update of a direct dependency that was also a transitive dependency to a version incompatible with the transitive requirement and you had a lock-file but did not have a node_modules
folder then npm would fail to provide a new copy of the transitive dependency, resulting in an invalid lock-file that could not self heal. (@iarna)be5dd0f49
#20715 Cleanup output of npm ci
summary report. (@legodude17)98ffe4adb
Node.js now has a test that scans for things that look like conflict markers in source code. This was triggering false positives on a fixture in a test of npm's ability to heal lockfiles with conflicts in them. (@iarna)a41c0393c
#20538 Make the new npm view
work when the license field is an object instead of a string. (@zkat)eb7522073
#20582 Add support for environments (like Docker) where the expected binary for opening external URLs is not available. (@bcoe)212266529
#20536 Fix a spurious colon in the new update notifier message and add support for the npm canary. (@zkat)5ee1384d0
#20597 Infer a version range when a package.json
has a dist-tag instead of a version range in one of its dependency specs. Previously, this would cause dependencies to be flagged as invalid. (@zkat)4fa68ae41
#20585 Make sure scoped bundled deps are shown in the new publish preview, too. (@zkat)1f3ee6b7e
cacache@11.0.2
: Stop dropping size
from metadata on npm cache verify
. (@jfmartinez)91ef93691
#20513 Fix nested command aliases. (@mmermerkaya)18b2b3cf7
npm-lifecycle@2.0.3
: Make sure different versions of the Path
env var on Windows all get node_modules/.bin
prepended when running lifecycle scripts. (@laggingreflex)a91d87072
#20550 Update required node versions in README. (@legodude17)bf3cfa7b8
Pull in changelogs from the last npm@5
release. (@iarna)b2f14b14c
#20629 Make tone in publishConfig
docs more neutral. (@jeremyckahn)5fca4eae8
byte-size@4.0.3
(@75lb)d9ef3fba7
lru-cache@4.1.3
(@isaacs)f1baf011a
request@2.86.0
(@simonv)005fa5420
require-inject@1.4.3
(@iarna)1becdf09a
tap@11.1.5
(@isaacs)3f2e306b8
Using npm audit fix
, replace some transitive dependencies with security issues with versions that don't have any. (@iarna)1d07134e0
tar@4.4.1
: Dropping to 4.4.1 from 4.4.2 due to npm/node-tar#183 (@zkat)The new version differs by 39 commits.
4c65cd9
6.1.0
b152d3e
scripts: Make release script include tests
f29b7a6
doc: Changelog for 6.1.0
631d30a
deps: Use shrinkwrap root for relative pathing
2f0c883
inflate-shrinkwrap: Stop shortcircuiting tree walks with fake children
442d248
shrinkwrap: Stop special-casing fake children in shrinkwraps
3f2e306
deps: audit-fix our transitive deps
be5dd0f
ci: pause log before logging summary (#20715)
0e1726c
deps: Now that from is in the lockfile, tighten git matching
171f318
pacote@8.1.5
1d07134
tar@4.4.1
98ffe4a
test: Make sure the naive node conflict scanner is ok
a8d89d9
doc: Fix changelog for 6.0.1
83a7051
6.1.0-next.0
91d6f5f
update AUTHORS
There are 39 commits in total.
See the full diff
Update to this version instead π
The new version differs by 58 commits.
ab3c62a
6.2.0
0cfe801
update AUTHORS
890c132
doc: update changelog for npm@6.2.0
7a08a9b
empty
322d9c2
chore: Make standard happy
4231a0a
meta: Add cli-table3 to bundledeps
f0a372b
docs: replace references to the old repo or issue tracker (#5)
4c32413
run-script: Do not use SET to fetch the env in git-bash or cygwin
7984206
version: Add new sign-git-commit config (#12697)
244b183
audit: add support for --parseable output (#20554)
7381783
docs: republish waiting period (#20920)
5724983
docs: remove back-ticks not being parsed as markdown (#21165)
90c759f
npm-audit-report@1.3.1
8dc6d76
cli-table3@0.5.0
2ac48f8
node-gyp@3.7.0
There are 58 commits in total.
See the full diff
Update to this version instead π
This is basically the same as the prerelease, but two dependencies have been bumped due to bugs that had been around for a while.
The new version differs by 21 commits.
14bd214
6.3.0
0a53c10
changelog: update generator script
fa54524
doc: update changelog for npm@6.3.0
0096f69
cacache@11.1.0
0a22be4
figgy-pudding@3.2.0
5b8929a
6.3.0-next.0
92c9301
update AUTHORS
95963ee
doc: update changelog for npm@6.3.0
e115f9d
docs: use https when possible. (#7)
ad0dd22
version: allow prerelease identifier (#26)
9db1540
deps: remove wrappy from package.json (#27)
21cf0ab
profile: better explanation on OTP (#24)
a9ac871
utils: use the extracted stringify-package module (#21)
a67db56
docs: replace troubleshooting.md with posts (#17)
35e51f7
docs: update build status url (#18)
There are 21 commits in total.
See the full diff
Update to this version instead π
The new version differs by 20 commits.
58ece89
6.4.0
361226d
6.4.0-next.0
214ef61
update AUTHORS
dbbb75c
doc: update changelog for npm@6.4.0
f861c2b
node-gyp@3.8.0
866d776
request@2.87.0
50df1bf
hosted-git-info@2.7.1
46f1c6a
tar@4.4.6
e57d345
iferr@1.0.2
348fc91
validate-npm-package-license@3.0.4
beb96b9
libcipm@2.0.1
e2346e7
docs: added a section for usage with process.env (#14)
d811461
cli: don't check for updates to npm when we are updating npm itself (#32)
792c8c7
audit: configurable audit level for non-zero exit (#31)
32e6947
colors@1.1.2 (#39)
There are 20 commits in total.
See the full diff
Update to this version instead π
4bd40f543
#42 Prevent blowing up on malformed responses from the npm audit
endpoint, such as with third-party registries. (@framp)0e576f0aa
#46 Fix NO_PROXY
support by renaming npm-side config to --noproxy
. The environment variable should still work. (@SneakyFish5)d8e811d6a
#33 Disable update-notifier
checks when a CI environment is detected. (@Sibiraj-S)1bc5b8cea
#47 Fix issue where postpack
scripts would break if pack
was used with --dry-run
. (@larsgw)4c57316d5
figgy-pudding@3.4.1
(@zkat)85f4d7905
cacache@11.2.0
(@zkat)d20ac242a
npm-packlist@1.1.11
: No real changes in npm-packlist, but npm-bundled included a circular dependency fix, as well as adding a proper LICENSE file. (@isaacs)e8d5f4418
npm.community#632 libcipm@2.0.2
: Fixes issue where npm ci
wasn't running the prepare
lifecycle script when installing git dependencies (@edahlseng)a5e6f78e9
JSONStream@1.3.4
: Fixes memory leak problem when streaming large files (like legacy npm search). (@daern91)3b940331d
npm.community#1042 npm-lifecycle@2.1.0
: Fixes issue for Windows user where multiple Path
/PATH
variables were being added to the environment and breaking things in all sorts of fun and interesting ways. (@JimiC)d612d2ce8
npm-registry-client@8.6.0
(@iarna)1f6ba1cb1
opener@1.5.0
(@domenic)37b8f405f
request@2.88.0
(@mikeal)bb91a2a14
tacks@1.2.7
(@iarna)30bc9900a
ci-info@1.4.0
: Adds support for two more CI services (@watson)1d2fa4ddd
marked@0.5.0
(@joshbruce)08ecde292
#54 Mention registry terms of use in manpage and registry docs and update language in README for it. (@kemitchell)de956405d
#41 Add documentation for --dry-run
in install
and pack
docs. (@reconbot)95031b90c
#48 Update republish time and lightly reorganize republish info. (@neverett)767699b68
#53 Correct npm@6.4.0
release date in changelog. (@charmander)3fea3166e
#55 Align command descriptions in help text. (@erik)The new version differs by 33 commits.
59e5056
6.4.1
bae4ede
6.4.1-next.0
e3a0762
update AUTHORS
f8396dd
doc: update changelog for npm@6.4.1
7eeacdb
gen-changelog: fix npm.community url parsing
d4242d4
gen-changelog: appease standard
bced18e
gen-changelog: Strip CRs from commit messages
54b4bc8
gen-changelog: git update incresed length of "short" hashes
f5eed2e
gen-changelog: Default repo is npm/cli now
ee5066a
gen-changelog: match npm.community urls in addition to github ones
f86570d
gen-changelog: Actually match content on fixes lines
1d2fa4d
marked@0.5.0
30bc990
ci-info@1.4.0
1bc5b8c
pack: add dryRun option to packDirectory (#47)
d8e811d
update-notifier: skip checking for updates in CI environments
There are 33 commits in total.
See the full diff
dependency
npm was updated from 5.10.0
to 6.5.0
.Update to this version instead π
The new version differs by 42 commits.
ab0f026
6.5.0
661e5c6
travis: 10 is LTS now
260f271
travis: only run license check once per full test run (like standard)
f426a0e
travis: Add node@11 to test matrix
63f8a83
unsupported: Add v12 (nightlies) to supported list
c95edb2
chore: fix name of fake-registry docs
6084ed1
6.5.0-next.0
6de34c1
update AUTHORS
499cbbd
doc: update changelog for npm@6.5.0
2499303
deps: gitignore licensee and deps
353a81f
license: whitelist config-chain again
61dbbb7
doc: fix semver docs
027f06b
ci-info@1.6.0
ab62afc
npm-packlist@1.1.12
43b1f4c
tar@4.4.8
There are 42 commits in total.
See the full diff
dependency
npm was updated from 5.10.0
to 6.8.0
.Update to this version instead π
This release includes an implementation of RFC #10, documenting an optional field that can be used to specify the directory path for a package within a monorepo.
3663cdef2
#140 Update package.json docs to include repository.directory details. (@greysteil)550bf703a
Add @types
to ignore list to fix git clean -fd. (@zkat)cdb059293
#144 Fix common.npm callback arguments. (@larsgw)25573e9b9
npm.community#4770 Show installed but unmet peer deps. (@larsgw)ce2c4bd1a
#149 Use figgy-config to make sure extra opts are there. (@zkat)3c22d1a35
npm.community#5101 Fix ls-collaborators
access error for non-scoped case. (@zkat)d5137091d
npm.community#754 Fix issue with sub-folder local references. (@iarna) (@jhecking)d72141080
npm-registry-couchapp@2.7.1
(@zkat)671cad1b1
npm-registry-fetch@3.9.0
: Make sure publishing with legacy username:password _auth
works again. (@zkat)95ca1aef4
pacote@9.4.1
(@aeschright)322fef403
normalize-package-data@2.5.0
(@aeschright)32d34c0da
npm-packlist@1.3.0
(@aeschright)338571cf0
read-package-tree@5.2.2
(@zkat)The new version differs by 41 commits.
67142b3
6.8.0
c7da272
chore: update changelog for final 6.8.0 release
338571c
read-package-tree@5.2.2
0c97036
Revert "install/dedupe: fix hoisting of packages with peerDeps (#147)" (#152)
26b768d
6.8.0-next.2
b436cb0
update AUTHORS
7b87710
chore: update changelog for 6.8.0
d513709
Fix issue with sub folder local references (#86)
7c62cde
6.8.0-next.1
f54bf9e
chore: update changelog for 6.8.0
32d34c0
npm-packlist@1.3.0
322fef4
normalize-package-data@2.5.0
3c22d1a
access: ls-collaborators is ok with non-scoped (#151)
309260d
6.8.0-next.0
f28a94c
update AUTHORS
There are 41 commits in total.
See the full diff
dependency
npm was updated from 5.10.0
to 6.9.0
.Update to this version instead π
The new version differs by 52 commits ahead by 52, behind by 26.
656bce7
6.9.0
de0ebe1
6.9.0-next.0
5ac0950
update AUTHORS
f957798
doc: update changelog for npm@6.9.0
96e4fa9
tap@12.5.3
9b8b651
npm-packlist@1.4.1
2b78288
test: add core to default inclusion tests in pack
57e771a
licensee@6.1.0 (#164)
2ba3a0f
install: add --before date support for time traveling~ (#90)
baaedbc
pacote@9.5.0
b7b54f2
install: add support for package aliases (#3)
2ce23ba
lock-verify@2.1.0
e135c2b
update: re-enable updating local packages
8047b19
install: match git semver ranges (#115)
433020e
docs: described exit codes in npm-audit docs
There are 52 commits in total.
See the full diff
dependency
npm was updated from 5.10.0
to 6.9.1
.Update to this version instead π
6b1a9da0e
#165 Update knownBroken
version. (@ljharb)d07547154
npm.community#5929 Fix outdated
rendering for global dependencies. (@zkat)e4a1f1745
npm.community#6259 Fix OTP for token create and remove. (@zkat)a163a9c35
sha@3.0.0
(@aeschright)47b08b3b9
query-string@6.4.0
(@aeschright)d6a956cff
readable-stream@3.2.0
(@aeschright)10b8bed2b
tacks@1.3.0
(@aeschright)e7483704d
tap@12.6.0
(@aeschright)3242fe698
tar-stream@2.0.1
(@aeschright)The new version differs by 12 commits.
43cb258
6.9.1
199c970
6.9.1-next.0
dcc759c
doc: update changelog for npm@6.9.1
3242fe6
tar-stream@2.0.1
e748370
tap@12.6.0
10b8bed
tacks@1.3.0
d6a956c
readable-stream@3.2.0
47b08b3
query-string@6.4.0
a163a9c
sha@3.0.0
e4a1f17
token: fix otp for create and remove (#175)
d075471
outdated: fix rendering for global dependencies (#173)
6b1a9da
Update knownBroken
version (#165)
See the full diff
dependency
npm was updated from 5.10.0
to 6.9.2
.dependency
npm was updated from 5.10.0
to 6.10.0
.dependency
npm was updated from 5.10.0
to 6.10.1
.dependency
npm was updated from 5.10.0
to 6.10.2
.dependency
npm was updated from 5.10.0
to 6.10.3
.dependency
npm was updated from 5.10.0
to 6.11.0
.dependency
npm was updated from 5.10.0
to 6.11.1
.dependency
npm was updated from 5.10.0
to 6.11.2
.dependency
npm was updated from 5.10.0
to 6.11.3
.dependency
npm was updated from 5.10.0
to 6.12.0
.dependency
npm was updated from 5.10.0
to 6.12.1
.dependency
npm was updated from 5.10.0
to 6.13.0
.dependency
npm was updated from 5.10.0
to 6.13.1
.dependency
npm was updated from 5.10.0
to 6.13.2
.dependency
npm was updated from 5.10.0
to 6.13.3
.dependency
npm was updated from 5.10.0
to 6.13.4
.dependency
npm was updated from 5.10.0
to 6.13.5
.dependency
npm was updated from 5.10.0
to 6.13.6
.dependency
npm was updated from 5.10.0
to 6.13.7
.dependency
npm was updated from 5.10.0
to 6.14.0
.dependency
npm was updated from 5.10.0
to 6.14.1
.dependency
npm was updated from 5.10.0
to 6.14.2
.dependency
npm was updated from 5.10.0
to 6.14.3
.dependency
npm was updated from 5.10.0
to 6.14.4
.dependency
npm was updated from 5.10.0
to 6.14.5
.
Version 6.0.0 of npm was just published.
The version 6.0.0 is not covered by your current version range.
If you donβt accept this pull request, your project will work just like it did before. However, you might be missing out on a bunch of new features, fixes and/or performance improvements from the dependency update.
It might be worth looking into these changes and trying to get this project onto the latest version of npm.
If you have a solid test suite and good coverage, a passing build is a strong indicator that you can take advantage of these changes directly by merging the proposed change into your project. If the build fails or you donβt have such unconditional trust in your tests, this branch is a great starting point for you to work on the update.
Commits
The new version differs by 121 commits.
7e679fd
6.0.0
73e50a7
test: prepublish-only: Use our own copy of npm
82dfa54
6.0.0-next.2
408a7ff
update AUTHORS
1b021d0
doc: update changelog for npm@6.0.0
9c1eb94
inflate-shrinkwrap: For git changelings use version as resolved
2facb35
has-modern-meta: Correctly identify git changelings
e4ed976
install/deps: Let git deps w/ lock only match package.json
552ff6d
audit: Ensure we don't mutate the shrinkwrap
f2386e1
test: standard common-tap
1d8ac24
test: JSON parse error message changed slightly
cd36a21
audit: Avoid config-meta's literal-only test
09c7348
test: Default audit to off when testing
8e71334
audit: Add docs
be393a2
audit: Temporarily suppress git metadata till there's an opt-in
There are 121 commits in total.
See the full diff
FAQ and help
There is a collection of [frequently asked questions](https://greenkeeper.io/faq.html). If those donβt help, you can always [ask the humans behind Greenkeeper](https://github.com/greenkeeperio/greenkeeper/issues/new).Your Greenkeeper bot :palm_tree: