Closed greenkeeper[bot] closed 7 years ago
Update to this version instead 🚀
Hey y'all! Hope you're enjoying the new npm!
As you all know, fresh software that's gone through major overhauls tends to miss a lot of spots the old one used to handle well enough, and npm@5
is no exception. The CLI team will be doing faster release cycles that go directly to the latest
tag for a couple of weeks while 5 stabilizes a bit and we're confident the common low-hanging fruit people are running into are all taken care of.
With that said: this is our first patch release! The biggest focus is fixing up a number of git-related issues that folks ran into right out the door. It also fixes other things, like some proxy/auth-related issues, and even has a neat speed boost! (You can expect more speed bumps in the coming releases as pending work starts landing, too!)
Thanks everyone who's been reporting issues and submitting patches!
e61e68dac
#16762 Make npm publish
obey the --tag
flag again. (@zkat)923fd58d3
9aac984cb
Guard against a particular failure mode for a bug still being hunted down. (@iarna)80ab521f1
Pull in dependency updates for various core deps:
pacote
fixes several git-related bugs.ssri
update fixes crash on early node@4 versions.make-fetch-happen
update fixes proxy authentication issue.npm-user-validate
adds regex for blocking usernames with illegal chars.7e5ce87b8
pacote@2.7.26
: Fixes various other git issues related to commit hashes. (@zkat)acbe85bfc
#16791 npm view
was calling cb
prematurely and giving partial output when called in a child process. (@zkat)ebafe48af
#16750 Hamilpatch the Musical: Talk less, complete more. (@aredridel)dc2823a6c
#16799 Document that package-lock.json
is never allowed in tarballs. (@sonicdoe)f3cb84b44
#16771 Fix npm -l
usage information for the test
command. (@grawlinson)Update to this version instead 🚀
Here's another patch release, soon after the other!
This particular release includes a slew of fixes to npm's git support, which was causing some issues for a chunk of people, specially those who were using self-hosted/Enterprise repos. All of those should be back in working condition now.
There's another shiny thing you might wanna know about: npm has a Canary release now! The npm5
experiment we did during our beta proved to be incredibly successful: users were able to have a tight feedback loop between reports and getting the bugfixes they needed, and the CLI team was able to roll out experimental patches and have the community try them out right away. So we want to keep doing that.
From now on, you'll be able to install the 'npm canary' with npm i -g npmc
. This release will be a separate binary (npmc
. Because canary. Get it?), which will update independently of the main CLI. Most of the time, this will track release-next
or something close to it. We might occasionally toss experimental branches in there to see if our more adventurous users run into anything interesting with it. For example, the current canary (npmc@5.0.1-canary.6
) includes an experimental multiproc branch that parallelizes tarball extraction across multiple processes.
If you find any issues while running the canary version, please report them and let us know it came from npmc
! It would be tremendously helpful, and finding things early is a huge reason to have it there. Happy hacking!
Just a heads up: We're preparing to do a massive cleanup of the issue tracker. It's been a long time since it was something we could really keep up with, and we didn't have a process for dealing with it that could actually be sustainable.
We're still sussing the details out, and we'll talk about it more when we're about to do it, but the plan is essentially to close old, abandoned issues and start over. We will also add some automation around issue management so that things that we can't keep up with don't just stay around forever.
Stay tuned!
1f26e9567
pacote@2.7.27
: Fixes installing committishes that look like semver, even though they're not using the required #semver:
syntax. (@zkat)85ea1e0b9
npm-package-arg@5.1.1
: This includes the npa git-parsing patch to make it so non-hosted SCP-style identifiers are correctly handled. Previously, npa would mangle them (even though hosted-git-info is doing the right thing for them). (@zkat)The new summary output has been really well received! One downside that reared its head as more people used it, though, is that it doesn't really tell you anything about the toplevel versions it installed. So, if you did npm i -g foo
, it would just say "added 1 package". This patch by @rmg keeps things concise while still telling you what you got! So now, you'll see something like this:
$ npm i -g foo bar
+ foo@1.2.3
+ bar@3.2.1
added 234 packages in .005ms
362f9fd5b
#16899 For every package that is given as an argument to install, print the name and version that was actually installed. (@rmg)a47593a98
#16835 Fix a crash while installing with --no-shrinkwrap
. (@jacknagel)89e0cb816
#16818 Fixes a spelling error in the docs. Because the CLI team has trouble spelling "package", I guess. (@ankon)c01fbc46e
#16895 Remove --save
from npm init
instructions, since it's now the default. (@jhwohlgemuth)80c42d218
Guard against cycles when inflating bundles, as symlinks are bundles now. (@iarna)7fe7f8665
#16674 Write the builtin config for npmc
, not just npm
. This is hardcoded for npm self-installations and is needed for Canary to work right. (@zkat)63df4fcdd
#16894 node-gyp@3.6.2
: Fixes an issue parsing SDK versions on Windows, among other things. (@refack)5bb15c3c4
read-package-tree@5.1.6
: Fixes some racyness while reading the tree. (@iarna)a6f7a52e7
aproba@1.1.2
: Remove nested function declaration for speed up (@mikesherov)The new version differs by 15 commits.
d654a8e
5.0.2
00878e5
update AUTHORS
90a25f6
doc: update changelog for npm@5.0.2
a6f7a52
aproba@1.1.2
37b85db
install: bikeshed new package output
362f9fd
install: print spec for each requested package (#16899)
7fe7f86
build: get npm to write the builtin config even if npm binary name changes
85ea1e0
npm-package-arg@5.1.1
5bb15c3
read-package-tree@5.1.6
80c42d2
inflate-bundled: Guard against cycles, as symlinks are bundles now
63df4fc
node-gyp@3.6.2
c01fbc4
docs: remove --save from npm init instructions (#16895)
89e0cb8
docs: fix package typo (#16818)
a47593a
inflate-shrinkwrap: fix installing with --no-shrinkwrap (#16835)
1f26e95
pacote@2.7.27
See the full diff
Update to this version instead 🚀
Happy Monday, y'all! We've got another npm release for you with the fruits of our ongoing bugsquashing efforts. You can expect at least one more this week, but probably more -- and as we announced last week, we'll be merging fixes more rapidly into the npmc
canary so you can get everything as soon as possible!
Hope y'all are enjoying npm5 in the meantime, and don't hesitate to file issues for anything you find! The goal is to get this release rock-solid as soon as we can.
6e12a5cc0
Bump several dependencies to get improvements and bugfixes:
cacache
: content files (the tarballs) are now read-only.pacote
: fix failing clones with bad heads, send extra TLS-related opts to proxy, enable global auth configurations and _auth
-based auth.ssri
: stop crashing with can't call method find of undefined
when running into a weird opts.integrity
/opts.algorithms
conflict during verification.89cc8e3e1
#16917 Send ca
, cert
and key
config through to network layer. (@colinrotherham)6a9b51c67
#16929 Send npm-session
header value with registry requests again. (@zarenner)662a15ab7
Fix npm doctor
so it stop complaining about read-only content files in the cache. (@zkat)191d10a66
#16918 Clarify prepublish deprecation message. (@Hirse)The new version differs by 11 commits.
fb8de0d
5.0.3
cd3886a
update AUTHORS
758942c
doc: update changelog for npm@5.0.3
662a15a
doctor: new cacache sets content files to be read-only
346cb00
standard: fixing linting issues
89cc8e3
pacote: send certificate authority, cert and key config through (#16917)
191d10a
docs: fix up prepublish deprecation message
6e12a5c
deps: bump cacache, pacote, ssri, readable-stream, safe-buffer
0b9fc56
ci: add node 8 to travis (#16934)
b66b5bb
ci: add node 8 to appveyor.yml (#16935)
6a9b51c
pacote: Generate and pass npm-session header value to pacote (#16929)
See the full diff
Update to this version instead 🚀
Hey y'all. This is another minor patch release with a variety of little fixes we've been accumulating~
f0a37ace9
Fix npm doctor
when hitting registries without ping
. (@zkat)64f0105e8
Fix invalid format error when setting cache-related headers. ([@kat Marchán](https://github.com/Kat Marchán))d2969c80e
Fix spurious EINTEGRITY
issue. (@zkat)800cb2b4e
#17076 Use legacy from
field to improve upgrade experience from legacy shrinkwraps and installs. (@zkat)4100d47ea
#17007 Restore loose semver parsing to match older npm behavior when running into invalid semver ranges in dependencies. (@zkat)35316cce2
#17005 Emulate npm@4's behavior of simply marking the peerDep as invalid, instead of crashing. (@zkat)e7e8ee5c5
#16937 Workaround for separate bug where requested
was somehow null. (@forivall)2d9629bb2
Better logging output for git errors. (@zkat)2235aea73
More scp-url fixes: parsing only worked correctly when a committish was present. (@zkat)80c33cf5e
Standardize package permissions on tarball extraction, instead of using perms from the tarball. This matches previous npm behavior and fixes a number of incompatibilities in the wild. (@zkat)2b1e40efb
Limit shallow cloning to hosts which are known to support it. (@zkat)The new version differs by 16 commits.
d2b4744
5.0.4
bf30a8d
update AUTHORS
a5384a3
doc: update changelog for npm@5.0.4
2b1e40e
git: bump pacote for git shallow clone fix
80c33cf
extract: force standardized perms like npm used to
2235aea
git: use latest npa for more scp url fixes
2d9629b
pacote: pull in new version with better git logging
e7e8ee5
shrinkwrap: quick fix for possibility that req is sometimes null (#16937)
35316cc
deps: ignore npa.resolve error from parsing peerDeps (#17005)
4100d47
deps: use relaxed semver range matching for compatibility (#17007)
800cb2b
shrinkwrap: lean on from field for better forward-compat (#17076)
d2969c8
pacote: (hopefully) fix integrity-related issue
64f0105
deps: bump pacote to fix local-cache header issue
bfe44d4
commands: mix it up a bit (#17001)
f0a37ac
doctor: ignore errors from ping()
There are 16 commits in total.
See the full diff
Update to this version instead 🚀
Hey y'all. This is another minor patch release with a variety of little fixes we've been accumulating~
f0a37ace9
Fix npm doctor
when hitting registries without ping
. (@zkat)64f0105e8
Fix invalid format error when setting cache-related headers. ([@kat Marchán](https://github.com/Kat Marchán))d2969c80e
Fix spurious EINTEGRITY
issue. (@zkat)800cb2b4e
#17076 Use legacy from
field to improve upgrade experience from legacy shrinkwraps and installs. (@zkat)4100d47ea
#17007 Restore loose semver parsing to match older npm behavior when running into invalid semver ranges in dependencies. (@zkat)35316cce2
#17005 Emulate npm@4's behavior of simply marking the peerDep as invalid, instead of crashing. (@zkat)e7e8ee5c5
#16937 Workaround for separate bug where requested
was somehow null. (@forivall)2d9629bb2
Better logging output for git errors. (@zkat)2235aea73
More scp-url fixes: parsing only worked correctly when a committish was present. (@zkat)80c33cf5e
Standardize package permissions on tarball extraction, instead of using perms from the tarball. This matches previous npm behavior and fixes a number of incompatibilities in the wild. (@zkat)2b1e40efb
Limit shallow cloning to hosts which are known to support it. (@zkat)Update to this version instead 🚀
Hey y'all~
We've got some goodies for you here, including npm@5
's first semver-minor release! This version includes a huge number of fixes, particularly for some of the critical bugs users were running into after upgrading npm. You should overall see a much more stable experience, and we're going to continue hacking on fixes for the time being. Semver-major releases, specially for tools like npm, are bound to cause some instability, and getting npm@5
stable is the CLI team's top priority for now!
Not that bugfixes are the only things that landed, either: between improvements that fell out of the bugfixes, and some really cool work by community members like @mikesherov, npm@5.1.0
is twice as fast as npm@5.0.0
in some benchmarks. We're not stopping there, either: you can expect a steady stream of speed improvements over the course of the year. It's not top priority, but we'll keep doing what we can to make sure npm saves its users as much time as possible.
Hang on to your seats. At 100 commits, this release is a bit of a doozy.
Semver-minor releases, of course, mean that there's a new feature somewhere, right? Here's what's bumping that number for us this time:
a09c1a69d
#16687 Allow customizing the shell used to execute run-script
s. (@mmkal)4f45ba222
a48958598
901bef0e1
#17508 Add a new requires
field to package-lock.json
with information about the logical dependency tree. This includes references to the specific version each package is intended to see, and can be used for many things, such as converting package-lock.json
to other lockfile formats, various optimizations, and verifying correctness of a package tree. (@iarna)47e8fc8eb
#17508 Make npm ls
take package locks (and shrinkwraps) into account. This means npm ls
can now be used to see which dependencies are missing, so long as a package lock has been previously generated with it in. (@iarna)f0075e7ca
#17508 Take package.json
changes into account when running installs -- if you remove or add a dependency to package.json
manually, npm will now pick that up and update your tree and package lock accordingly. (@iarna)83a5455aa
#17205 Add npm udpate
as an alias for npm update
, for symmetry with install
/isntall
. (@gdassori)57225d394
#17120 npm will no longer warn about preferGlobal
, and the option is now deprecated. (@zkat)82df7bb16
#17351 As some of you may already know npm build
doesn't do what a lot of people expect: It's mainly an npm plumbing command, and is part of the more familiar npm rebuild
command. That said, a lot of users assume that this is the way to run an npm run-script
named build
, which is an incredibly common script name to use. To clarify things for users, and encourage them to use npm run build
instead, npm will now warn if npm build
is run without any arguments. (@lennym)59f86ef90
43be9d222
e906cdd98
#16633 npm now parallelizes tarball extraction across multiple child process workers. This can significantly speed up installations, specially when installing from cache, and will improve with number of processors. (@zkat)e0849878d
#17441 Avoid building environment for empty lifecycle scripts. This change alone accounted for as much as a 15% speed boost for npm installations by outright skipping entire steps of the installer when not needed. (@mikesherov)265c2544c
npm/hosted-git-info#24 hosted-git-info@2.5.0
: Add caching to fromURL
, which gets called many, many times by the installer. This improved installation performance by around 10% on realistic application repositories. (@mikesherov)901d26cb
npm/read-package-json#20 read-package-json@2.0.9
: Speed up installs by as much as 20% by reintroducing a previously-removed cache and making it actually be correct this time around. (@mikesherov)44e37045d
Eliminate Bluebird.promisifyAll
from our codebase. (@iarna)3b4681b53
#17508 Stop calling addBundle
on locked deps, speeding up the package-lock.json
-based fast path. (@iarna)package-lock.json
field, called requires
, which tracks which modules a given module requires.package.json
to trump the package-lock.json
.npm ls
now loads the shrinkwrap, which opens the door to showing a full tree of dependencies even when nothing is yet installed. (It doesn't do that yet though.)656544c31
d21ab57c3
#16637 Fix some cases where npm prune
was leaving some dependencies unpruned if to-be-pruned dependencies depended on them. (@exogen)394436b09
#17552 Make refresh-package-json
re-verify the package platform. This fixes an issue most notably experienced by Windows users using create-react-app
where fsevents
would not short-circuit and cause a crash during its otherwise-skipped native build phase. (@zkat)9e5a94354
#17590 Fix an issue where npm@5
would crash when trying to remove packages installed with npm@<5
. (@iarna)c3b586aaf
#17141 Don't update the package.json when modifying packages that don't go there. This was previously causing package.json
to get a "false": {}
field added. (@iarna)d04a23de2
4a5b360d5
d9e53db48
pacote@2.7.38
(@colinrotherham, @zkat, @mcibique):
e2f815f87
#17104 Write an empty str and wait for flush to exit to reduce issues with npm exiting before all output is complete when it's a child process. (@zkat)835fcec60
#17060 Make git repos with prepare scripts always install with both dev and prod flags. (@intellix)f1dc8a175
#16879 Fix support for always-auth
and _auth
. They are now both available in both unscoped and registry-scoped configurations. (@jozemlakar)ddd8a1ca2
Serialize package specs to prevent [object Object]
showing up in logs during extraction. (@zkat)99ef3b52c
#17505 Stop trying to commit updated npm-shrinkwrap.json
and package-lock.json
if they're .gitignore
d. (@zkat)58be2ec59
Make sure uid and gid are getting correctly set even when they're 0
. This should fix some Docker-related issues with bad permissions/broken ownership. (@rgrove)9d1e3b6fa
#17506 Skip writing package.json and locks if on-disk version is identical to the new one. (@zkat)3fc6477a8
#17592 Fix an issue where npm install -g .
on a package with no name
field would cause the entire global node_modules
directory to be replaced with a symlink to $CWD
. lol. (@iarna)06ba0a14a
#17591 Fix spurious removal reporting: if you tried to remove something that didn't actually exist, npm would tell you it removed 1 package even though there wasothing to do. (@iarna)20ff05f8
#17629 When removing a link, keep dependencies installed inside of it instead of removing them, if the link is outside the scope of the current project. This fixes an issue where removing globally-linked packages would remove all their dependencies in the source directory, as well as some ergonomic issues when using links in other situations. (@iarna)fd5fab595
npm-shrinkwrap.json
and package-lock.json
from RFC. (@iarna)9589c1ccb
#17451 Fix typo in changelog. (@watilde)f8e76d856
#17370 Correct the default prefix config path for Windows operating systems in the documentation for npm folders. (@kierendixon)d0f3b5a12
#17369 Fix npm-config
reference to userconfig
& globalconfig
environment variables. (@racztiborzoltan)87629880a
#17336 Remove note in docs about prepublish
being entirely removed. (@Hirse)a1058afd9
#17169 Document --no-package-lock
flag. (@leggsimon)32fc6e41a
#17250 Fix a typo in the shrinkwrap docs. (@Zarel)f19bd3c8c
#17249 Fix a package-lock.json cross-reference link. (@not-an-aardvark)153245edc
#17075 Fix a typo in npm-config
docs. (@KennethKinLum)c9b534a14
#17074 Clarify config documention with multiple boolean flags. (@KennethKinLum)e111b0a40
#16768 Document the -l
option to npm config list
. (@happylynx)5a803ebad
#16548 Fix permissions for documentation files. Some of them had +x
set. (???) (@metux)d57d4f48c
#17319 Document that the --silent
option for npm run-script
can be used to suppress npm ERR!
output on errors. (@styfle)Not all contributions need to be visible features, docs, or bugfixes! It's super helpful when community members go over our code and help clean it up, too!
The new version differs by 102 commits.
24ec9f2
5.1.0
8cefdc3
update AUTHORS
db0a2f8
doc: update changelog for npm@5.1.0
20ff05f
remove: Make file: spec/link removal match specification
993f673
config: remove old comment (#17600)
a09c1a6
run-script: allow custom shell (#16687)
7d65004
config: refactor to use Object.assign (#17563)
9e5a943
install/deps: Compute required package in legacy npm compatible way (#17590)
06ba0a1
install: fix spurious removal reporting (#17591)
3fc6477
validate-args: Check for name and version (#17592)
d4df17a
test: Remove extra blank line from prune-dev-dep-cycle
74924de
prune: Remove extraneous code
1e56f49
save: Remove extraneous module
394436b
actions: make refresh-package-json re-verify the package platform (#17552)
d21ab57
prune: Fix unpruned and incorrectly pruned dependencies
There are 102 commits in total.
See the full diff
Version 5.0.0 of npm just got published.
The version 5.0.0 is not covered by your current version range.
Without accepting this pull request your project will work just like it did before. There might be a bunch of new features, fixes and perf improvements that the maintainers worked on for you though.
I recommend you look into these changes and try to get onto the latest version of npm. Given that you have a decent test suite, a passing build is a strong indicator that you can take advantage of these changes by merging the proposed change into your project. Otherwise this branch is a great starting point for you to work on the update.
Release Notes
v5.0.0Wowowowowow npm@5!
This release marks months of hard work for the young, scrappy, and hungry CLI team, and includes some changes we've been hoping to do for literally years. npm@5 takes npm a pretty big step forward, significantly improving its performance in almost all common situations, fixing a bunch of old errors due to the architecture, and just generally making it more robust and fault-tolerant. It comes with changes to make life easier for people doing monorepos, for users who want consistency/security guarantees, and brings semver support to git dependencies. See below for all the deets!
Breaking Changes
Existing npm caches will no longer be used: you will have to redownload any cached packages. There is no tool or intention to reuse old caches. (#15666)
npm install ./packages/subdir
will now create a symlink instead of a regular installation.file://path/to/tarball.tgz
will not change -- only directories are symlinked. (#15900)npm will now scold you if you capitalize its name. seriously it will fight you.
npm will
--save
by default now. Additionally,package-lock.json
will be automatically created unless annpm-shrinkwrap.json
exists. (#15666)Git dependencies support semver through
user/repo#semver:^1.2.3
(#15308) (#15666) (@sankethkatta)Git dependencies with
prepare
scripts will have theirdevDependencies
installed, andnpm install
run in their directory before being packed.npm cache
commands have been rewritten and don't really work anything like they did before. (#15666)--cache-min
and--cache-max
have been deprecated. (#15666)Running npm while offline will no longer insist on retrying network requests. npm will now immediately fall back to cache if possible, or fail. (#15666)
package locks no longer exclude
optionalDependencies
that failed to build. This means package-lock.json and npm-shrinkwrap.json should now be cross-platform. (#15900)If you generated your package lock against registry A, and you switch to registry B, npm will now try to install the packages from registry B, instead of A. If you want to use different registries for different packages, use scope-specific registries (
npm config set @myscope:registry=https://myownregist.ry/packages/
). Different registries for different unscoped packages are not supported anymore.Shrinkwrap and package-lock no longer warn and exit without saving the lockfile.
Local tarballs can now only be installed if they have a file extensions
.tar
,.tar.gz
, or.tgz
.A new loglevel,
notice
, has been added and set as default.One binary to rule them all:
./cli.js
has been removed in favor of./bin/npm-cli.js
. In case you were doing something with./cli.js
itself. (#12096) (@watilde)Stub file removed (#16204) (@watilde)
The "extremely legacy"
_token
couchToken has been removed. (#12986)Feature Summary
Installer changes
A new, standardised lockfile feature meant for cross-package-manager compatibility (
package-lock.json
), and a new format and semantics for shrinkwrap. (#16441)--save
is no longer necessary. All installs will be saved by default. You can prevent saving with--no-save
. Installing optional and dev deps is unchanged: use-D/--save-dev
and-O/--save-optional
if you want them saved into those fields instead. Note that since npm@3, npm will automatically update npm-shrinkwrap.json when you save: this will also be true forpackage-lock.json
. (#15666)Installing a package directory now ends up creating a symlink and does the Right Thing™ as far as saving to and installing from the package lock goes. If you have a monorepo, this might make things much easier to work with, and probably a lot faster too.😁 (#15900)
Project-level (toplevel)
preinstall
scripts now run before anything else, and can modifynode_modules
before the CLI reads it.Two new scripts have been added,
prepack
andpostpack
, which will run on bothnpm pack
andnpm publish
, but NOT onnpm install
(without arguments). Combined with the fact thatprepublishOnly
is run before the tarball is generated, this should round out the general story as far as putzing around with your code before publication.Git dependencies with
prepare
scripts will now have their devDependencies installed, and their prepare script executed as if undernpm pack
.Git dependencies now support semver-based matching:
npm install git://github.com/npm/npm#semver:^5
(#15308, #15666)node-gyp
now supportsnode-gyp.cmd
on Windows (#14568)npm no longer blasts your screen with the whole installed tree. Instead, you'll see a summary report of the install that is much kinder on your shell real-estate. Specially for large projects. (#15914):
--parseable
and--json
now work more consistently across various commands, particularlyinstall
andls
.Indentation is now detected and preserved for
package.json
,package-lock.json
, andnpm-shrinkwrap.json
. If the package lock is missing, it will default topackage.json
's current indentation.Publishing
sha512
andsha1
checksums. Versions of npm from 5 onwards will use the strongest algorithm available to verify downloads. npm/npm-registry-client#157Cache Rewrite!
We've been talking about rewriting the cache for a loooong time. So here it is. Lots of exciting stuff ahead. The rewrite will also enable some exciting future features, but we'll talk about those when they're actually in the works. #15666 is the main PR for all these changes. Additional PRs/commits are linked inline.
Package metadata, package download, and caching infrastructure replaced.
It's a bit faster. Hopefully it will be noticeable.🤔
With the shrinkwrap and package-lock changes, tarballs will be looked up in the cache by content address (and verified with it).
Corrupted cache entries will automatically be removed and re-fetched on integrity check failure.
npm CLI now supports tarball hashes with any hash function supported by Node.js. That is, it will use
sha512
for tarballs from registries that send asha512
checksum as the tarball hash. Publishing withsha512
is added by npm/npm-registry-client#157 and may be backfilled by the registry for older entries.Remote tarball requests are now cached. This means that even if you're missing the
integrity
field in your shrinkwrap or package-lock, npm will be able to install from the cache.Downloads for large packages are streamed in and out of disk. npm is now able to install packages of """any""" size without running out of memory. Support for publishing them is pending (due to registry limitations).
Automatic fallback-to-offline mode. npm will seamlessly use your cache if you are offline, or if you lose access to a particular registry (for example, if you can no longer access a private npm repo, or if your git host is unavailable).
A new
--prefer-offline
option will make npm skip any conditional requests (304 checks) for stale cache data, and only hit the network if something is missing from the cache.A new
--prefer-online
option that will force npm to revalidate cached data (with 304 checks), ignoring any staleness checks, and refreshing the cache with revalidated, fresh data.A new
--offline
option will force npm to use the cache or exit. It will error with anENOTCACHED
code if anything it tries to install isn't already in the cache.A new
npm cache verify
command that will garbage collect your cache, reducing disk usage for things you don't need (-handwave-), and will do full integrity verification on both the index and the content. This is also hooked intonpm doctor
as part of its larger suite of checking tools.The new cache is very fault tolerant and supports concurrent access.
npm cache clear
is no longer useful for anything except clearing up disk space.Package metadata is cached separately per registry and package type: you can't have package name conflicts between locally-installed packages, private repo packages, and public repo packages. Identical tarball data will still be shared/deduplicated as long as their hashes match.
HTTP cache-related headers and features are "fully" (lol) supported for both metadata and tarball requests -- if you have your own registry, you can define your own cache settings the CLI will obey!
prepublishOnly
now runs before the tarball to publish is created, afterprepare
has run.Commits
The new version differs by 225 commits.
39495d0
5.0.0
0d91907
doc: update changelog for npm@5.0.0
8a173da
docs: END OF AN ERA OF CHANGELOGS 😭
794c10e
pkglock: remove packageIntegrity field of doom
674004c
lifecycle: added prepack and postpack (#16725)
db76632
cacache@9.2.5
0d35975
preinstall: Runs in the final dest, not the staging folder
a976fa1
pacote: more alwaysAuth logic
046f967
pacote: decode password before passing it on
0d40bf3
ls: Nothing is extraneous without a package.json
da7bbb2
install: allow parseable output for nodes w/o paths
1ea953a
test: gently-rm-linked-module: Cleanup output
4c99147
remove-deps: Update dependencies list even if we're not saving
72ce47c
pacote: look for always-auth too
1ab8c41
pacote: send username/password auth through, too
There are 225 commits in total.
See the full diff
Not sure how things should work exactly?
There is a collection of [frequently asked questions](https://greenkeeper.io/faq.html) and of course you may always [ask my humans](https://github.com/greenkeeperio/greenkeeper/issues/new).Your Greenkeeper Bot :palm_tree: