ยซ Changelog History


npm v5.10.0 Release Notes

Release Date: 2018-05-11 // almost 6 years ago

  • With this, likely the last release of the [email protected] series, we backport a number of features from 6.0.0. Contrary to Github at publication time, this is not the latest release. That honor belongs to 6.0.1, just below this. If you're using 6.0.1 there's nothing here you haven't seen before.

    EXTENDED npm init SCAFFOLDING

    Thanks to the wonderful efforts of @jdalton of lodash fame, npm init can now be used to invoke custom scaffolding tools!

    ๐Ÿ“ฆ You can now do things like npm init react-app or npm init esm to scaffold an npm package by running create-react-app and create-esm, respectively. This also adds an npm create alias, to correspond to Yarn's yarn create feature, which inspired this.

    DEPENDENCY AUDITING

    ๐Ÿ”’ This version of npm adds a new command, npm audit, which will run a security audit of your project's dependency tree and notify you about any actions you may need to take.

    The registry-side services required for this command to work will be available on the main npm registry in the coming weeks. Until then, you won't get much out of trying to use this on the CLI.

    ๐Ÿš‘ As part of this change, the npm CLI now sends scrubbed and cryptographically anonymized metadata about your dependency tree to your configured registry, to allow notifying you about the existence of critical security flaws. For details about how the CLI protects your privacy when it shares this metadata, see npm help audit, or read the docs for npm audit online. You can disable this altogether by doing npm config set audit false, but will no longer benefit from the service.

    ๐Ÿ“ฆ CTRL-C OUT DURING PACKAGE EXTRACTION AS MUCH AS YOU WANT!

    SHRONKWRAPS AND LACKFILES

    ๐Ÿ”’ If a published modules had legacy npm-shrinkwrap.json we were saving ordinary registry dependencies (name@version) to your package-lock.json as https:// URLs instead of versions.

    • ๐Ÿ”’ 36f998411 When saving the lock-file compute how the dependency is being required instead of using _resolved in the package.json. This fixes the bug that was converting registry dependencies into https:// dependencies. (@iarna)
    • ๐Ÿ”’ 113e1a3af When encountering a https:// URL in our lockfiles that point at our default registry, extract the version and use them as registry dependencies. This lets us heal package-lock.json files produced by 6.0.0 (@iarna)

    ๐Ÿ”’ MORE package-lock.json FORMAT CHANGES?!

    • ๐Ÿ“‡ 074502916 #20384 Add from field back into package-lock for git dependencies. This will give npm the information it needs to figure out whether git deps are valid, specially when running with legacy install metadata or in --package-lock-only mode when there's no node_modules. This should help remove a significant amount of git-related churn on the lock-file. (@zkat)

    ๐Ÿ“š DOCUMENTATION IMPROVEMENTS

    ๐Ÿ›  BUGFIXES

    • ๐Ÿ”’ 1b535cb9d #20358 npm install-test (aka npm it) will no longer generate package-lock.json when running with --no-package-lock or package-lock=false. (@raymondfeng)
    • ๐Ÿ”’ 268f7ac50 5f84ebdb6 c12e61431 #20390 Fix a scenario where a git dependency had a comittish associated with it that was not a complete commitid. npm would never consider that entry in the package.json as matching the entry in the package-lock.json and this resulted in inappropriate pruning or reinstallation of git dependencies. This has been addressed in two ways, first, the addition of the from field as described in #20384 means we can exactly match the package.json. Second, when that's missing (when working with older package-lock.json files), we assume that the match is ok. (If it's not, we'll fix it up when a real installation is done.) (@iarna)

    ๐Ÿ“„ DOCS

    โšก๏ธ DEPENDENCY UPDATES