npm

## v5.10.0 (2018-05-10): ### AUDIT SHOULDN'T WAIT FOREVER This will likely be reduced further with the goal that the audit process shouldn't noticibly slow down your builds regardless of your network situation. * [`3dcc240db`](https://github.com/npm/npm/commit/3dcc240dba5258532990534f1bd8a25d1698b0bf) Timeout audit requests eventually. ([@iarna](https://github.com/iarna)) ## v5.10.0-next.1 (2018-05-07): ### EXTENDED `npm init` SCAFFOLDING Thanks to the wonderful efforts of [@jdalton](https://github.com/jdalton) of lodash fame, `npm init` can now be used to invoke custom scaffolding tools! You can now do things like `npm init react-app` or `npm init esm` to scaffold an npm package by running `create-react-app` and `create-esm`, respectively. This also adds an `npm create` alias, to correspond to Yarn's `yarn create` feature, which inspired this. * [`adc009ed4`](https://github.com/npm/npm/commit/adc009ed4114ed1e692f8ef15123af6040615cee) [`f363edd04`](https://github.com/npm/npm/commit/f363edd04f474fa64e4d97228c0b2a7858f21e7c) [`f03b45fb2`](https://github.com/npm/npm/commit/f03b45fb217df066c3cb7715f9c0469d84e5aa8e) [`13adcbb52`](https://github.com/npm/npm/commit/13adcbb527fb8214e5f2233706c6b72ce072f3fa) [#20303](https://github.com/npm/npm/pull/20303) [#20372](https://github.com/npm/npm/pull/20372) Add an `npm init` feature that calls out to `npx` when invoked with positional arguments. ([@jdalton](https://github.com/jdalton)) ### DEPENDENCY AUDITING This version of npm adds a new command, `npm audit`, which will run a security audit of your project's dependency tree and notify you about any actions you may need to take. The registry-side services required for this command to work will be available on the main npm registry in the coming weeks. Until then, you won't get much out of trying to use this on the CLI. As part of this change, the npm CLI now sends scrubbed and cryptographically anonymized metadata about your dependency tree to your configured registry, to allow notifying you about the existence of critical security flaws. For details about how the CLI protects your privacy when it shares this metadata, see `npm help audit`, or [read the docs for `npm audit` online](https://github.com/npm/npm/blob/release-next/doc/cli/npm-audit.md). You can disable this altogether by doing `npm config set audit false`, but will no longer benefit from the service. * [`c81dfb91b`](https://github.com/npm/npm/commit/c81dfb91bc031f1f979fc200bb66718a7e8e1551) `npm-registry-fetch@1.1.1` ([@iarna](https://github.com/iarna)) * [`b096f44a9`](https://github.com/npm/npm/commit/b096f44a96d185c45305b9b6a5f26d3ccbbf759d) `npm-audit-report@1.0.9` ([@iarna](https://github.com/iarna)) * [`43b20b204`](https://github.com/npm/npm/commit/43b20b204ff9a86319350988d6774397b7da4593) [#20389](https://github.com/npm/npm/pull/20389) Add new `npm audit` command. ([@iarna](https://github.com/iarna)) * [`49ddb3f56`](https://github.com/npm/npm/commit/49ddb3f5669e90785217a639f936f4e38390eea2) [#20389](https://github.com/npm/npm/pull/20389) Temporarily suppress git metadata till there's an opt-in. ([@iarna](https://github.com/iarna)) * [`5f1129c4b`](https://github.com/npm/npm/commit/5f1129c4b072172c72cf9cff501885e2c11998ea) [#20389](https://github.com/npm/npm/pull/20389) Document the new command. ([@iarna](https://github.com/iarna)) * [`9a07b379d`](https://github.com/npm/npm/commit/9a07b379d24d089687867ca34df6e1e6189c72f1) [#20389](https://github.com/npm/npm/pull/20389) Default audit to off when running the npm test suite itself. ([@iarna](https://github.com/iarna)) * [`a6e2f1284`](https://github.com/npm/npm/commit/a6e2f12849b84709d89b3dc4f096e8c6f7db7ebb) Make sure we hide stream errors on background audit submissions. Previously some classes of error could end up being displayed (harmlessly) during installs. ([@iarna](https://github.com/iarna)) * [`aadbf3f46`](https://github.com/npm/npm/commit/aadbf3f4695e75b236ee502cbe41e51aec318dc3) Include session and scope in requests (as we do in other requests to the registry). ([@iarna](https://github.com/iarna)) * [`7d43ddf63`](https://github.com/npm/npm/commit/7d43ddf6366d3bfc18ea9ccef8c7b8e43d3b79f5) Exit with non-zero status when vulnerabilities are found. So you can have `npm audit` as a test or prepublish step! ([@iarna](https://github.com/iarna)) * [`bc3fc55fa`](https://github.com/npm/npm/commit/bc3fc55fae648da8efaf1be5b86078f0f736282e) Verify lockfile integrity before running. You'd get an error either way, but this way it's faster and can give you more concrete instructions on how to fix it. ([@iarna](https://github.com/iarna)) * [`2ac8edd42`](https://github.com/npm/npm/commit/2ac8edd4248f2393b35896f0300b530e7666bb0e) Refuse to run in global mode. Audits require a lockfile and globals don't have one. Yet. ([@iarna](https://github.com/iarna)) ### CTRL-C OUT DURING PACKAGE EXTRACTION AS MUCH AS YOU WANT! * [`663d8b5e5`](https://github.com/npm/npm/commit/663d8b5e5427c2243149d2dd6968faa117e9db3f) [npm/lockfile#29](https://github.com/npm/lockfile/pull/29) `lockfile@1.0.4`: Switches to `signal-exit` to detect abnormal exits and remove locks. ([@Redsandro](https://github.com/Redsandro)) ### SHRONKWRAPS AND LACKFILES If a published modules had legacy `npm-shrinkwrap.json` we were saving ordinary registry dependencies (`name@version`) to your `package-lock.json` as `https://` URLs instead of versions. * [`36f998411`](https://github.com/npm/npm/commit/36f9984113e39d7b190010a2d0694ee025924dcb) When saving the lock-file compute how the dependency is being required instead of using `_resolved` in the `package.json`. This fixes the bug that was converting registry dependencies into `https://` dependencies. ([@iarna](https://github.com/iarna)) * [`113e1a3af`](https://github.com/npm/npm/commit/113e1a3af2f487c753b8871d51924682283c89fc) When encountering a `https://` URL in our lockfiles that point at our default registry, extract the version and use them as registry dependencies. This lets us heal `package-lock.json` files produced by 6.0.0 ([@iarna](https://github.com/iarna)) ### MORE `package-lock.json` FORMAT CHANGES?! * [`074502916`](https://github.com/npm/npm/commit/0745029168dfdfee0d1823137550e6ebccf741a5) [#20384](https://github.com/npm/npm/pull/20384) Add `from` field back into package-lock for git dependencies. This will give npm the information it needs to figure out whether git deps are valid, specially when running with legacy install metadata or in `--package-lock-only` mode when there's no `node_modules`. This should help remove a significant amount of git-related churn on the lock-file. ([@zkat](https://github.com/zkat)) ### DOCUMENTATION IMPROVEMENTS * [`e0235ebb6`](https://github.com/npm/npm/commit/e0235ebb6e560f0114b8babedb6949385ab9bd57) [#20384](https://github.com/npm/npm/pull/20384) Update the lock-file spec doc to mention that we now generate the from field for `git`-type dependencies. ([@watilde](https://github.com/watilde)) * [`35de04676`](https://github.com/npm/npm/commit/35de04676a567ef11e1dd031d566231021d8aff2) [#20408](https://github.com/npm/npm/pull/20408) Describe what the colors in outdated mean. ([@teameh](https://github.com/teameh)) ### BUGFIXES * [`1b535cb9d`](https://github.com/npm/npm/commit/1b535cb9d4a556840aeab2682cc8973495c9919a) [#20358](https://github.com/npm/npm/pull/20358) `npm install-test` (aka `npm it`) will no longer generate `package-lock.json` when running with `--no-package-lock` or `package-lock=false`. ([@raymondfeng](https://github.com/raymondfeng)) * [`268f7ac50`](https://github.com/npm/npm/commit/268f7ac508cda352d61df63a2ae7148c54bdff7c) [`5f84ebdb6`](https://github.com/npm/npm/commit/5f84ebdb66e35486d1dec1ca29e9ba0e4c5b6d5f) [`c12e61431`](https://github.com/npm/npm/commit/c12e61431ecf4f77e56dc8aa55c41d5d7eeaacad) [#20390](https://github.com/npm/npm/pull/20390) Fix a scenario where a git dependency had a comittish associated with it that was not a complete commitid. `npm` would never consider that entry in the `package.json` as matching the entry in the `package-lock.json` and this resulted in inappropriate pruning or reinstallation of git dependencies. This has been addressed in two ways, first, the addition of the `from` field as described in [#20384](https://github.com/npm/npm/pull/20384) means we can exactly match the `package.json`. Second, when that's missing (when working with older `package-lock.json` files), we assume that the match is ok. (If it's not, we'll fix it up when a real installation is done.) ([@iarna](https://github.com/iarna)) ### DOCS * [`7b13bf5e3`](https://github.com/npm/npm/commit/7b13bf5e373e2ae2466ecaa3fd6dcba67a97f462) [#20331](https://github.com/npm/npm/pull/20331) Fix broken link to 'private-modules' page. The redirect went away when the new npm website went up, but the new URL is better anyway. ([@vipranarayan14](https://github.com/vipranarayan14)) * [`1c4ffddce`](https://github.com/npm/npm/commit/1c4ffddce05c25ef51e254dfc6a9a97e03c711ce) [#20279](https://github.com/npm/npm/pull/20279) Document the `--if-present` option for `npm run-script`. ([@aleclarson](https://github.com/aleclarson)) ### DEPENDENCY UPDATES * [`815d91ce0`](https://github.com/npm/npm/commit/815d91ce0e8044775e884c1dab93052da57f6650) `libnpx@10.2.0` ([@zkat](https://github.com/zkat)) * [`02715f19f`](https://github.com/npm/npm/commit/02715f19fbcdecec8990b92fc60b1a022c59613b) `update-notifier@2.5.0` ([@alexccl](https://github.com/alexccl)) * [`08c4ddd9e`](https://github.com/npm/npm/commit/08c4ddd9eb560aa6408a1bb1c1d2d9aa6ba46ba0) `tar@4.4.2` ([@isaacs](https://github.com/isaacs)) * [`53718cb12`](https://github.com/npm/npm/commit/53718cb126956851850839b4d7d3041d4e9a80d0) `tap@11.1.4` ([@isaacs](https://github.com/isaacs)) * [`0a20cf546`](https://github.com/npm/npm/commit/0a20cf546a246ac12b5fe2b6235ffb8649336ec4) `safe-buffer@5.1.2` ([@feross](https://github.com/feross)) * [`e8c8e844c`](https://github.com/npm/npm/commit/e8c8e844c194351fe2d65cf3af79ef318bbc8bec) `retry@0.12.0` ([@tim-kos](https://github.com/tim-kos)) * [`76c7f21bd`](https://github.com/npm/npm/commit/76c7f21bd04407d529edc4a76deaa85a2d6b6e6f) `read-package-tree@5.2.1` ([@zkat](https://github.com/zkat)) * [`c8b0aa07b`](https://github.com/npm/npm/commit/c8b0aa07b34a0b0f8bc85154da75d9fb458eb504) `query-string@6.1.0` ([@sindresorhus](https://github.com/sindresorhus)) * [`abfd366b4`](https://github.com/npm/npm/commit/abfd366b4709325f954f2b1ee5bd475330aab828) `npm-package-arg@6.1.0` ([@zkat](https://github.com/zkat)) * [`bd29baf83`](https://github.com/npm/npm/commit/bd29baf834c3e16a9b3d7b60cdb4f462889800bf) `lock-verify@2.0.2` ([@iarna](https://github.com/iarna)) ## v5.10.0-next.0 (2018-04-12): ### NEW FEATURES * [`32ec2f54b`](https://github.com/npm/npm/commit/32ec2f54b2ad7370f2fd17e6e2fbbb2487c81266) [#20257](https://github.com/npm/npm/pull/20257) Add shasum and integrity to the new `npm view` output. ([@zkat](https://github.com/zkat)) * [`a22153be2`](https://github.com/npm/npm/commit/a22153be239dfd99d87a1a1c7d2c3700db0bebf3) [#20126](https://github.com/npm/npm/pull/20126) Add `npm cit` command that's equivalent of `npm ci && npm t` that's equivalent of `npm it`. ([@SimenB](https://github.com/SimenB)) ### BUG FIXES * [`089aeaf44`](https://github.com/npm/npm/commit/089aeaf4479f286b1ce62716c6442382ff0f2150) Fix a bug where OTPs passed in via the commandline would have leading zeros deleted resulted in authentication failures. ([@iarna](https://github.com/iarna)) * [`6eaa860ea`](https://github.com/npm/npm/commit/6eaa860ead3222a6dbd6d370b4271e7bf242b30b) Eliminate direct use of `new Buffer` in `npm`. While the use of it in `npm` was safe, there are two other reasons for this change: 1. Node 10 emits warnings about its use. 2. Users who require npm as a library (which they definitely should not do) can call the functions that call `new Buffer` in unsafe ways, if they try really hard. ([@iarna](https://github.com/iarna)) * [`85900a294`](https://github.com/npm/npm/commit/85900a2944fed14bc8f59c48856fb797faaafedc) Starting with 5.8.0 the `requires` section of the lock-file saved version ranges instead of specific versions. Due to a bug, further actions on the same lock-file would result in the range being switched back to a version. This corrects that, keeping ranges when they appear. ([@iarna](https://github.com/iarna)) * [`0dffa9c2a`](https://github.com/npm/npm/commit/0dffa9c2ae20b669f65c8e596dafd63e52248250) [`609d6f6e1`](https://github.com/npm/npm/commit/609d6f6e1b39330b64ca4677a531819f2143a283) [`08f81aa94`](https://github.com/npm/npm/commit/08f81aa94171987a8e1b71a87034e7b028bb9fc7) [`f8b76e076`](https://github.com/npm/npm/commit/f8b76e0764b606e2c129cbaa66e48ac6a3ebdf8a) [`6d609822d`](https://github.com/npm/npm/commit/6d609822d00da7ab8bd05c24ec4925094ecaef53) [`59d080a22`](https://github.com/npm/npm/commit/59d080a22f7314a8e4df6e4f85c84777c1e4be42) Restore the ability to bundle dependencies that are uninstallable from the registry. This also eliminates needless registry lookups for bundled dependencies. Fixed a bug where attempting to install a dependency that is bundled inside another module without reinstalling that module would result in ENOENT errors. ([@iarna](https://github.com/iarna)) * [`db846c2d5`](https://github.com/npm/npm/commit/db846c2d57399f277829036f9d96cd767088097e) [#20029](https://github.com/npm/npm/pull/20029) Allow packages with non-registry specifiers to follow the fast path that the we use with the lock-file for registry specifiers. This will improve install time especially when operating only on the package-lock (`--package-lock-only`). ([@zkat](https://github.com/zkat)) Fix the a bug where `npm i --only=prod` could remove development dependencies from lock-file. ([@iarna](https://github.com/iarna)) * [`3e12d2407`](https://github.com/npm/npm/commit/3e12d2407446661d3dd226b03a2b6055b7932140) [#20122](https://github.com/npm/npm/pull/20122) Improve the update-notifier messaging (borrowing ideas from pnpm) and eliminate false positives. ([@zkat](https://github.com/zkat)) * [`f18be9b39`](https://github.com/npm/npm/commit/f18be9b39888d05c7f98946c53214f40914f6284) [#20154](https://github.com/npm/npm/pull/20154) Let version succeed when `package-lock.json` is gitignored. ([@nwoltman](https://github.com/nwoltman)) * [`ced29253d`](https://github.com/npm/npm/commit/ced29253df6c6d67e4bf47ca83e042db4fb19034) [#20212](https://github.com/npm/npm/pull/20212) Ensure that we only create an `etc` directory if we are actually going to write files to it. ([@buddydvd](https://github.com/buddydvd)) * [`8e21b19a8`](https://github.com/npm/npm/commit/8e21b19a8c5e7d71cb51f3cc6a8bfaf7749ac2c5) [#20140](https://github.com/npm/npm/pull/20140) Note in documentation that `package-lock.json` version gets touched by `npm version`. ([@srl295](https://github.com/srl295)) * [`5d17c87d8`](https://github.com/npm/npm/commit/5d17c87d8d27caeac71f291fbd62628f2765fda2) [#20032](https://github.com/npm/npm/pull/20032) Fix bug where unauthenticated errors would get reported as both 404s and 401s, i.e. `npm ERR! 404 Registry returned 401`. In these cases the error message will now be much more informative. ([@iarna](https://github.com/iarna)) * [`05ff6c9b1`](https://github.com/npm/npm/commit/05ff6c9b14cb095988b768830e51789d6b6b8e6e) [#20082](https://github.com/npm/npm/pull/20082) Allow optional @ prefix on scope with `npm team` commands for parity with other commands. ([@bcoe](https://github.com/bcoe)) * [`6bef53891`](https://github.com/npm/npm/commit/6bef538919825b8cd2e738333bdd7b6ca2e2e0e3) [#19580](https://github.com/npm/npm/pull/19580) Improve messaging when two-factor authentication is required while publishing. ([@jdeniau](https://github.com/jdeniau)) * [`155dab2bd`](https://github.com/npm/npm/commit/155dab2bd7b06724eca190abadd89c9f03f85446) Fix a bug where optional status of a dependency was not being saved to the package-lock on the initial install. ([@iarna](https://github.com/iarna)) * [`8d6a4cafc`](https://github.com/npm/npm/commit/8d6a4cafc2e6963d9ec7c828e1af6f2abc12e7f3) [`a0937e9af`](https://github.com/npm/npm/commit/a0937e9afe126dce7a746c1a6270b1ac69f2a9b3) Ensure that `--no-optional` does not remove optional dependencies from the lock-file. ([@iarna](https://github.com/iarna)) ### DEPENDENCY UPDATES * [`8baa37551`](https://github.com/npm/npm/commit/8baa37551945bc329a6faf793ec5e3e2feff489b) [zkat/cipm#46](https://github.com/zkat/cipm/pull/46) `libcipm@1.6.2`: Detect binding.gyp for default install lifecycle. Let's `npm ci` work on projects that have their own C code. ([@caleblloyd](https://github.com/caleblloyd)) * [`323f74242`](https://github.com/npm/npm/commit/323f74242066c989f7faf94fb848ff8f3b677619) [zkat/json-parse-better-errors#1](https://github.com/zkat/json-parse-better-errors/pull/1) `json-parse-better-errors@1.0.2` ([@Hoishin](https://github.com/Hoishin)) * [`d0cf1f11e`](https://github.com/npm/npm/commit/d0cf1f11e5947446f74881a3d15d6a504baea619) `readable-stream@2.3.6` ([@mcollina](https://github.com/mcollina)) * [`9e9fdba5e`](https://github.com/npm/npm/commit/9e9fdba5e7b7f3a1dd73530dadb96d9e3445c48d) `update-notifier@2.4.0` ([@sindersorhus](https://github.com/sindersorhus)) * [`57fa33870`](https://github.com/npm/npm/commit/57fa338706ab122ab7e13d2206016289c5bdacf3) `marked@0.3.1` ([@joshbruce](https://github.com/joshbruce)) * [`d2b20d34b`](https://github.com/npm/npm/commit/d2b20d34b60f35eecf0d51cd1f05de79b0e15096) [#20276](https://github.com/npm/npm/pull/20276) `node-gyp@3.6.2` * [`2b5700679`](https://github.com/npm/npm/commit/2b5700679fce9ee0c24c4509618709a4a35a3d27) [zkat/npx#172](https://github.com/zkat/npx/pull/172) `libnpx@10.1.1` ([@jdalton](https://github.com/jdalton)) ## v5.9.0 (2018-03-23): Coming to you this week are a fancy new package view, pack/publish previews and a handful of bug fixes! Let's get right in! ### NEW PACKAGE VIEW There's a new `npm view` in town. You might it as `npm info` or `npm show`. The new output gives you a nicely summarized view that for most packages fits on one screen. If you ask it for `--json` you'll still get the same results, so your scripts should still work fine. * [`143cdbf13`](https://github.com/npm/npm/commit/143cdbf1327f7d92ccae405bc05d95d28939a837) [#19910](https://github.com/npm/npm/pull/19910) Add humanized default view. ([@zkat](https://github.com/zkat)) * [`ca84be91c`](https://github.com/npm/npm/commit/ca84be91c434fb7fa472ee4c0b7341414acf52b5) [#19910](https://github.com/npm/npm/pull/19910) `tiny-relative-date@1.3.0` ([@zkat](https://github.com/zkat)) * [`9a5807c4f`](https://github.com/npm/npm/commit/9a5807c4f813c49b854170b6111c099b3054faa2) [#19910](https://github.com/npm/npm/pull/19910) `cli-columns@3.1.2` ([@zkat](https://github.com/zkat)) * [`23b4a4fac`](https://github.com/npm/npm/commit/23b4a4fac0fbfe8e03e2f65d9f674f163643d15d) [#19910](https://github.com/npm/npm/pull/19910) `byte-size@4.0.2` ### PACK AND PUBLISH PREVIEWS The `npm pack` and `npm publish` commands print out a summary of the files included in the package. They also both now take the `--dry-run` flag, so you can double check your `.npmignore` settings before doing a publish. * [`116e9d827`](https://github.com/npm/npm/commit/116e9d8271d04536522a7f02de1dde6f91ca5e6e) [#19908](https://github.com/npm/npm/pull/19908) Add package previews to pack and publish. Also add --dry-run and --json flags. ([@zkat](https://github.com/zkat)) ### MERGE CONFLICT, SMERGE CONFLICT If you resolve a `package-lock.json` merge conflict with `npm install` we now suggest you setup a merge driver to handle these automatically for you. If you're reading this and you'd like to set it up now, run: ```console npx npm-merge-driver install -g ``` * [`5ebe99719`](https://github.com/npm/npm/commit/5ebe99719d11fedeeec7a55f1b389dcf556f32f3) [#20071](https://github.com/npm/npm/pull/20071) suggest installing the merge driver ([@zkat](https://github.com/zkat)) ### MISC BITS * [`a05e27b71`](https://github.com/npm/npm/commit/a05e27b7104f9a79f5941e7458c4658872e5e0cd) Going forward, record requested ranges not versions in the package-lock. ([@iarna](https://github.com/iarna)) * [`f721eec59`](https://github.com/npm/npm/commit/f721eec599df4bdf046d248e0f50822d436654b4) Add 10 to Node.js supported version list. It's not out yet, but soon my pretties... ([@iarna](https://github.com/iarna)) ### DEPENDENCY UPDATES * [`40aabb94e`](https://github.com/npm/npm/commit/40aabb94e3f24a9feabb9c490403e10ec9dc254f) `libcipm@1.6.1`: Fix bugs on docker and with some `prepare` scripts and `npm ci`. Fix a bug where script hooks wouldn't be called with `npm ci`. Fix a bug where `npm ci` and `--prefix` weren't compatible. ([@isaacseymour](https://github.com/isaacseymour)) ([@umarov](https://github.com/umarov)) ([@mikeshirov](https://github.com/mikeshirov)) ([@billjanitsch](https://github.com/billjanitsch)) * [`a85372e67`](https://github.com/npm/npm/commit/a85372e671eab46e62caa46631baa30900e32114) `tar@4.4.1`: Switch to safe-buffer and Buffer.from. ([@isaacs](https://github.com/isaacs)) ([@ChALkeR](https://github.com/ChALkeR)) * [`588eabd23`](https://github.com/npm/npm/commit/588eabd23fa04420269b9326cab26d974d9c151f) `lru-cache@4.1.2`: * [`07f27ee89`](https://github.com/npm/npm/commit/07f27ee898f3c3199e75427017f2b6a189b1a85b) `qrcode-terminal@0.12.0`: * [`01e4e29bc`](https://github.com/npm/npm/commit/01e4e29bc879bdaa0e92f0b58e3725a41377d21c) `request@2.85.0` * [`344ba8819`](https://github.com/npm/npm/commit/344ba8819f485c72e1c7ac3e656d7e9210ccf607) `worker-farm@1.6.0` * [`dc6df1bc4`](https://github.com/npm/npm/commit/dc6df1bc4677164b9ba638e87c1185b857744720) `validate-npm-package-license@3.0.3` * [`97a976696`](https://github.com/npm/npm/commit/97a9766962ab5125af3b2a1f7b4ef550a2e3599b) `ssri@5.3.0` * [`9b629d0c6`](https://github.com/npm/npm/commit/9b629d0c69599635ee066cb71fcc1b0155317f19) `query-string@5.1.1` ## v5.8.0 (2018-03-08): Hey again, everyone! While last release was focused largely around PRs from the CLI team, this release is mostly pulling in community PRs in npm itself and its dependencies! We've got a good chunk of wonderful contributions for y'all, and even new features and performance improvements! 🎉 We're hoping to continue our biweekly (as in every-other-week biweekly) release schedule from now on, so you should be seeing more steady npm releases from here on out. And that's good, 'cause we've got a _ton_ of new stuff on our roadmap for this year. Keep an eye out for exciting news. 👀 ### FEATURES * [`2f513fe1c`](https://github.com/npm/npm/commit/2f513fe1ce6db055b04a63fe4360212a83f77b34) [#19904](https://github.com/npm/npm/pull/19904) Make a best-attempt at preserving line ending style when saving `package.json`/`package-lock.json`/`npm-shrinkwrap.json`. This goes hand-in-hand with a previous patch to preserve detected indentation style. ([@tuananh](https://github.com/tuananh)) * [`d3cfd41a2`](https://github.com/npm/npm/commit/d3cfd41a28253db5a18260f68642513cbbc93e3b) `pacote@7.6.1` ([@zkat](https://github.com/zkat)) * Enable `file:`-based `resolved` URIs in `package-lock.json`. * Retry git-based operations on certain types of failure. * [`ecfbb16dc`](https://github.com/npm/npm/commit/ecfbb16dc705f28aa61b3223bdbf9e47230a0fa4) [#19929](https://github.com/npm/npm/pull/19929) Add support for the [`NO_COLOR` standard](http://no-color.org). This gives a cross-application, consistent way of disabling ANSI color code output. Note that npm already supported this through `--no-color` or `npm_config_color='false'` configurations, so this is just another way to do it. ([@chneukirchen](https://github.com/chneukirchen)) * [`fc8761daf`](https://github.com/npm/npm/commit/fc8761daf1e8749481457973890fa516eb96a195) [#19629](https://github.com/npm/npm/pull/19629) Give more detailed, contextual information when npm fails to parse `package-lock.json` and `npm-shrinkwrap.json`, instead of saying `JSON parse error` and leaving you out in the cold. ([@JoshuaKGoldberg](https://github.com/JoshuaKGoldberg)) * [`1d368e1e6`](https://github.com/npm/npm/commit/1d368e1e63229f236b9dbabf628989fa3aa98bdb) [#19157](https://github.com/npm/npm/pull/19157) Add `--no-proxy` config option. Previously, you needed to use the `NO_PROXY` environment variable to use this feature -- now it's an actual npm option. ([@Saturate](https://github.com/Saturate)) * [`f0e998daa`](https://github.com/npm/npm/commit/f0e998daa049810d5f928615132250021e46451d) [#18426](https://github.com/npm/npm/pull/18426) Do environment variable replacement in config files even for config keys or fragments of keys. ([@misak113](https://github.com/misak113)) * [`9847c82a8`](https://github.com/npm/npm/commit/9847c82a8528cfdf5968e9bb00abd8ed47903b5c) [#18384](https://github.com/npm/npm/pull/18384) Better error messaging and suggestions when users get `EPERM`/`EACCES` errors. ([@chrisjpatty](https://github.com/chrisjpatty)) * [`b9d0c0c01`](https://github.com/npm/npm/commit/b9d0c0c0173542a8d741a9a17b9fb34fbaf5068e) [#19448](https://github.com/npm/npm/pull/19448) Holiday celebrations now include all JavaScripters, not just Node developers. ([@isaacs](https://github.com/isaacs)) ### NPM CI I hope y'all have been having fun with `npm ci` so far! Since this is the first release since that went out, we've had a few fixes and improvements now that folks have actually gotten their hands on it! Benchmarks have been super promising so far, and I've gotten messages from a lot of you saying you've sped up your CI work by **2-5x** in some cases! Have a good example? Tell us on Twitter! `npm ci` is, right now, [the fastest installer](http://blog.npmjs.org/post/171556855892/introducing-npm-ci-for-faster-more-reliable) you can use in CI situations, so go check it out if you haven't already! We'll continue doing performance improvements on it, and a lot of those will help make `npm install` fast as well. 🏎😎 * [`0d7f203d9`](https://github.com/npm/npm/commit/0d7f203d9e86cc6c8d69107689ea60fc7cbab424) `libcipm@1.6.0` ([@zkat](https://github.com/zkat)) This `libcipm` release includes a number of improvements: * **PERFORMANCE** Reduce calls to `read-package-json` and separate JSON update phase from man/bin linking phase. `npm ci` should be noticeably faster. * **FEATURE** Progress bar now fills up as packages are installed, instead of sitting there doing nothing. * **BUGFIX** Add support for `--only` and `--also` options. * **BUFGIX** Linking binaries and running scripts in parallel was causing packages to sometimes clobber each other when hoisted, as well as potentially running too many run-scripts in parallel. This is now a serial operation, and it turns out to have had relatively little actual performance impact. * **BUGFIX** Stop adding `_from` to directory deps (aka `file:packages/my-dep`). ### BUGFIXES * [`58d2aa58d`](https://github.com/npm/npm/commit/58d2aa58d5f9c4db49f57a5f33952b3106778669) [#20027](https://github.com/npm/npm/pull/20027) Use a specific mtime when packing tarballs instead of the beginning of epoch time. This should allow `npm pack` to generate tarballs with identical hashes for identical contents, while fixing issues with some `zip` implementations that do not support pre-1980 timestamps. ([@isaacs](https://github.com/isaacs)) * [`4f319de1d`](https://github.com/npm/npm/commit/4f319de1d6e8aca5fb68f78023425233da4f07f6) Don't fall back to couch adduser if we didn't try couch login. ([@iarna](https://github.com/iarna)) * [`c8230c9bb`](https://github.com/npm/npm/commit/c8230c9bbd596156a4a8cfe62f2370f81d22bd9f) [#19608](https://github.com/npm/npm/pull/19608) Fix issue where using the npm-bundled `npx` on Windows was invoking `npx prefix` (and downloading that package). ([@laggingreflex](https://github.com/laggingreflex)) * [`d70c01970`](https://github.com/npm/npm/commit/d70c01970311f4e84b35eef8559c114136a9ebc7) [#18953](https://github.com/npm/npm/pull/18953) Avoid using code that depends on `node@>=4` in the `unsupported` check, so npm can report the issue normally instead of syntax-crashing. ([@deployable](https://github.com/deployable)) ### DOCUMENTATION * [`4477ca2d9`](https://github.com/npm/npm/commit/4477ca2d993088ac40ef5cf39d1f9c68be3d6252) `marked@0.3.17`: Fixes issue preventing correct rendering of backticked strings. man pages should be rendering correctly now instead of having empty spaces wherever backticks were used. ([@joshbruce](https://github.com/joshbruce)) * [`71076ebda`](https://github.com/npm/npm/commit/71076ebdaddd04f2bf330fe668f15750bcff00ea) [#19950](https://github.com/npm/npm/pull/19950) Add a note to install --production. ([@kyranet](https://github.com/kyranet)) * [`3a33400b8`](https://github.com/npm/npm/commit/3a33400b89a8dd00fa9a49fcb57a8add36f79fa6) [#19957](https://github.com/npm/npm/pull/19957) nudge around some details in ci docs ([@zkat](https://github.com/zkat)) * [`06038246a`](https://github.com/npm/npm/commit/06038246a3fa58d6f42bb4ab897aa534ff6ed282) [#19893](https://github.com/npm/npm/pull/19893) Add a common open reason to the issue template. ([@MrStonedOne](https://github.com/MrStonedOne)) * [`7376dd8af`](https://github.com/npm/npm/commit/7376dd8afb654929adade126b4925461aa52da12) [#19870](https://github.com/npm/npm/pull/19870) Fix typo in `npm-config.md` ([@joebowbeer](https://github.com/joebowbeer)) * [`5390ed4fa`](https://github.com/npm/npm/commit/5390ed4fa2b480f7c58fff6ee670120149ec2d45) [#19858](https://github.com/npm/npm/pull/19858) Fix documented default value for config save option. It was still documented as `false`, even though `npm@5.0.0` set it to `true` by default. ([@nalinbhardwaj](https://github.com/nalinbhardwaj)) * [`dc36d850a`](https://github.com/npm/npm/commit/dc36d850a1d763f71a98c99db05ca875dab124ed) [#19552](https://github.com/npm/npm/pull/19552) Rework `npm update` docs now that `--save` is on by default. ([@selbekk](https://github.com/selbekk)) * [`5ec5dffc8`](https://github.com/npm/npm/commit/5ec5dffc80527d9330388ff82926dd890f4945af) [#19726](https://github.com/npm/npm/pull/19726) Clarify that `name` and `version` fields are optional if your package is not supposed to be installable as a dependency. ([@ngarnier](https://github.com/ngarnier)) * [`046500994`](https://github.com/npm/npm/commit/0465009942d6423f878c1359e91972fa5990f996) [#19676](https://github.com/npm/npm/pull/19676) Fix documented cache location on Windows. ([@VladRassokhin](https://github.com/VladRassokhin)) * [`ffa84cd0f`](https://github.com/npm/npm/commit/ffa84cd0f43c07858506764b4151ba6af11ea120) [#19475](https://github.com/npm/npm/pull/19475) Added example for `homepage` field from `package.json`. ([@cg-cnu](https://github.com/cg-cnu)) * [`de72d9a18`](https://github.com/npm/npm/commit/de72d9a18ae650ebaee0fdd6694fc89b1cbe8e95) [#19307](https://github.com/npm/npm/pull/19307) Document the `requires` field in `npm help package-lock.json`. ([@jcrben](https://github.com/jcrben)) * [`35c4abded`](https://github.com/npm/npm/commit/35c4abdedfa622f27e8ee47aa6e293f435323623) [#18976](https://github.com/npm/npm/pull/18976) Typo fix in coding style documentation. ([@rinfan](https://github.com/rinfan)) * [`0616fd22a`](https://github.com/npm/npm/commit/0616fd22a4e4f2b2998bb70d86d269756aab64be) [#19216](https://github.com/npm/npm/pull/19216) Add `edit` section to description in `npm-team.md`. ([@WispProxy](https://github.com/WispProxy)) * [`c2bbaaa58`](https://github.com/npm/npm/commit/c2bbaaa582d024cc48b410757efbb81d95837d43) [#19194](https://github.com/npm/npm/pull/19194) Tiny style fix in `npm.md`. ([@WispProxy](https://github.com/WispProxy)) * [`dcdfdcbb0`](https://github.com/npm/npm/commit/dcdfdcbb0035ef3290bd0912f562e26f6fc4ea94) [#19192](https://github.com/npm/npm/pull/19192) Document `--development` flag in `npm-ls.md`. ([@WispProxy](https://github.com/WispProxy)) * [`d7ff07135`](https://github.com/npm/npm/commit/d7ff07135a685dd89c15e29d6a28fca33cf448b0) [#18514](https://github.com/npm/npm/pull/18514) Make it so `javascript` -> `JavaScript`. This is important. ([@masonpawsey](https://github.com/masonpawsey)) * [`7a8705113`](https://github.com/npm/npm/commit/7a870511327d31e8921d6afa845ec8065c60064b) [#18407](https://github.com/npm/npm/pull/18407) Clarify the mechanics of the `file` field in `package.json` a bit. ([@bmacnaughton](https://github.com/bmacnaughton)) * [`b2a1cf084`](https://github.com/npm/npm/commit/b2a1cf0844ceaeb51ed04f3ae81678527ec9ae68) [#18382](https://github.com/npm/npm/pull/18382) Document the [`browser` field](https://github.com/defunctzombie/package-browser-field-spec) in `package.json`. ([@mxstbr](https://github.com/mxstbr)) ### MISC * [`b8a48a959`](https://github.com/npm/npm/commit/b8a48a9595b379cfc2a2c576f61062120ea0caf7) [#19907](https://github.com/npm/npm/pull/19907) Consolidate code for stringifying `package.json` and package locks. Also adds tests have been added to test that `package[-lock].json` files are written to disk with their original line endings. ([@nwoltman](https://github.com/nwoltman)) * [`b4f707d9f`](https://github.com/npm/npm/commit/b4f707d9f543f0995ed5811827a892fc8b2192b5) [#19879](https://github.com/npm/npm/pull/19879) Remove unused devDependency `nock` from `.gitignore`. ([@watilde](https://github.com/watilde)) * [`8150dd5f7`](https://github.com/npm/npm/commit/8150dd5f72520eb143f75e44787a5775bd8b8ebc) [#16540](https://github.com/npm/npm/pull/16540) Stop doing an `uninstall` when using `make clean`. ([@metux](https://github.com/metux)) ### OTHER DEPENDENCY BUMPS * [`ab237a2a5`](https://github.com/npm/npm/commit/ab237a2a5dcf70ee490e2f0322dfedb1560251d4) `init-package-json@1.10.3` ([@zkat](https://github.com/zkat)) * [`f6d668941`](https://github.com/npm/npm/commit/f6d6689414f00a67a1f34afc6791bdc7d7be4d9b) `npm-lifecycle@2.0.1` ([@zkat](https://github.com/zkat)) * [`882bfbdfa`](https://github.com/npm/npm/commit/882bfbdfaa3eb09b35875e648545cb6967f72562) `npm-registry-client@8.5.1` ([@zkat](https://github.com/zkat)) * [`6ae38055b`](https://github.com/npm/npm/commit/6ae38055ba69db5785ee6c394372de0333763822) `read-package-json@2.0.1`: Support git packed refs `--all` mode. ([@zkat](https://github.com/zkat)) * [`89db703ae`](https://github.com/npm/npm/commit/89db703ae4e25b9fb6c9d7c5119520107a23a752) `readable-stream@2.3.5` ([@mcollina](https://github.com/mcollina)) * [`634dfa5f4`](https://github.com/npm/npm/commit/634dfa5f476b7954b136105a8f9489f5631085a3) `worker-farm@1.5.4` ([@rvagg](https://github.com/rvagg)) * [`92ad34439`](https://github.com/npm/npm/commit/92ad344399f7a23e308d0f3f02547656a47ae6c5) `hosted-git-info@2.6.0` ([@zkat](https://github.com/zkat)) * [`75279c488`](https://github.com/npm/npm/commit/75279c4884d02bd7d451b66616e320eb8cb03bcb) `tar@4.4.0` ([@isaacs](https://github.com/isaacs)) * [`228aba276`](https://github.com/npm/npm/commit/228aba276b19c987cd5989f9bb9ffbe25edb4030) `write-file-atomic@2.3.0` ([@iarna](https://github.com/iarna)) * [`006e9d272`](https://github.com/npm/npm/commit/006e9d272914fc3ba016f110b1411dd20f8a937d) `libnpx@10.0.1` ([@zkat](https://github.com/zkat)) * [`9985561e6`](https://github.com/npm/npm/commit/9985561e666473deeb352c1d4252adf17c2fa01d) `mississippi@3.0.0` ([@bcomnes](https://github.com/bcomnes)) * [`1dc6b3b52`](https://github.com/npm/npm/commit/1dc6b3b525967bc8526aa4765e987136cb570e8e) `tap@11.1.2` ([@isaacs](https://github.com/isaacs)) ## v5.7.1 (2018-02-22): This release reverts a patch that could cause some ownership changes on system files when running from some directories when also using `sudo`. 😲 Thankfully, it only affected users running `npm@next`, which is part of our staggered release system, which we use to prevent issues like this from going out into the wider world before we can catch them. Users on `latest` would have never seen this! The original patch was added to increase consistency and reliability of methods npm uses to avoid writing files as `root` in places it shouldn't, but the change was applied in places that should have used regular `mkdirp`. This release reverts that patch. * [`74e149da6`](https://github.com/npm/npm/commit/74e149da6efe6ed89477faa81fef08eee7999ad0) [`#19883`](https://github.com/npm/npm/issue/19883) Revert "*: Switch from mkdirp to correctMkdir to preserve perms and owners" This reverts commit [`94227e15`](https://github.com/npm/npm/commit/94227e15eeced836b3d7b3d2b5e5cc41d4959cff). ([@zkat](https://github.com/zkat)) ## v5.7.0 (2018-02-20): Hey y'all, it's been a while. Expect our release rate to increase back to normal here, as we've got a lot in the pipeline. Right now we've got a bunch of things from folks at npm. In the next release we'll be focusing on user contributions and there are a lot of them queued up! This release brings a bunch of exciting new features and bug fixes. ### PACKAGE-LOCK GIT MERGE CONFLICT RESOLUTION Allow `npm install` to fix `package-lock.json` and `npm-shrinkwrap.json` files that have merge conflicts in them without your having to edit them. It works in conjunction with [`npm-merge-driver`](https://www.npmjs.com/package/npm-merge-driver) to entirely eliminate package-lock merge conflicts. * [`e27674c22`](https://github.com/npm/npm/commit/e27674c221dc17473f23bffa50123e49a021ae34) Automatically resolve merge conflicts in lock-files. ([@zkat](https://github.com/zkat)) ### NPM CI The new `npm ci` command installs from your lock-file ONLY. If your `package.json` and your lock-file are out of sync then it will report an error. It works by throwing away your `node_modules` and recreating it from scratch. Beyond guaranteeing you that you'll only get what is in your lock-file it's also much faster (2x-10x!) than `npm install` when you don't start with a `node_modules`. As you may take from the name, we expect it to be a big boon to continuous integration environments. We also expect that folks who do production deploys from git tags will see major gains. * [`5e4de9c99`](https://github.com/npm/npm/commit/5e4de9c99c934e25ef7b9c788244cc3c993da559) Add new `npm ci` installer. ([@zkat](https://github.com/zkat)) ### OTHER NEW FEATURES * [`4d418c21b`](https://github.com/npm/npm/commit/4d418c21b051f23a3b6fb085449fdf4bf4f826f5) [#19817](https://github.com/npm/npm/pull/19817) Include contributor count in installation summary. ([@kemitchell](https://github.com/kemitchell)) * [`17079c2a8`](https://github.com/npm/npm/commit/17079c2a880d3a6f8a67c8f17eedc7eb51b8f0f8) Require password to change email through `npm profile`. ([@iarna](https://github.com/iarna)) * [`e7c5d226a`](https://github.com/npm/npm/commit/e7c5d226ac0ad3da0e38f16721c710909d0a9847) [`4f5327c05`](https://github.com/npm/npm/commit/4f5327c0556764aa1bbc9b58b1a8c8a84136c56a) [#19780](https://github.com/npm/npm/pull/19780) Add support for web-based logins. This is not yet available on the registry, however. ([@isaacs](https://github.com/isaacs)) ### BIG FIXES TO PRUNING * [`827951590`](https://github.com/npm/npm/commit/8279515903cfa3026cf7096189485cdf29f74a8f) Handle running `npm install package-name` with a `node_modules` containing packages without sufficient metadata to verify their origin. The only way to get install packages like this is to use a non-`npm` package manager. Previously `npm` removed any packages that it couldn't verify. Now it will leave them untouched as long as you're not asking for a full install. On a full install they will be reinstalled (but the same versions will be maintained). This will fix problems for folks who are using a third party package manager to install packages that have `postinstall` scripts that run `npm install`. ([@iarna](https://github.com/iarna)) * [`3b305ee71`](https://github.com/npm/npm/commit/3b305ee71e2bf852ff3037366a1774b8c5fcc0a5) Only auto-prune on installs that will create a lock-file. This restores `npm@4` compatible behavior when the lock-file is disabled. When using a lock-file `npm` will continue to remove anything in your `node_modules` that's not in your lock-file. ([@iarna](https://github.com/iarna)) * [`cec5be542`](https://github.com/npm/npm/commit/cec5be5427f7f5106a905de8630e1243e9b36ef4) Fix bug where `npm prune --production` would remove dev deps from the lock file. It will now only remove them from `node_modules` not from your lock file. ([@iarna](https://github.com/iarna)) * [`857dab03f`](https://github.com/npm/npm/commit/857dab03f2d58586b45d41d3e5af0fb2d4e824d0) Fix bug where git dependencies would be removed or reinstalled when installing other dependencies. ([@iarna](https://github.com/iarna)) ### BUG FIXES TO TOKENS AND PROFILES * [`a66e0cd03`](https://github.com/npm/npm/commit/a66e0cd0314893b745e6b9f6ca1708019b1d7aa3) For CIDR filtered tokens, allow comma separated CIDR ranges, as documented. Previously you could only pass in multiple cidr ranges with multiple `--cidr` command line options. ([@iarna](https://github.com/iarna)) * [`d259ab014`](https://github.com/npm/npm/commit/d259ab014748634a89cad5b20eb7a40f3223c0d5) Fix token revocation when an OTP is required. Previously you had to pass it in via `--otp`. Now it will prompt you for an OTP like other `npm token` commands. ([@iarna](https://github.com/iarna)) * [`f8b1f6aec`](https://github.com/npm/npm/commit/f8b1f6aecadd3b9953c2b8b05d15f3a9cff67cfd) Update token and profile commands to support legacy (username/password) authentication. (The npm registry uses tokens, not username/password pairs, to authenticate commands.) ([@iarna](https://github.com/iarna)) ### OTHER BUG FIXES * [`6954dfc19`](https://github.com/npm/npm/commit/6954dfc192f88ac263f1fcc66cf820a21f4379f1) Fix a bug where packages would get pushed deeper into the tree when upgrading without an existing copy on disk. Having packages deeper in the tree ordinarily is harmless but is not when peerDependencies are in play. ([@iarna](https://github.com/iarna)) * [`1ca916a1e`](https://github.com/npm/npm/commit/1ca916a1e9cf94691d1ff2e5e9d0204cfaba39e1) Fix bug where when switching from a linked module to a non-linked module, the dependencies of the module wouldn't be installed on the first run of `npm install`. ([@iarna](https://github.com/iarna)) * [`8c120ebb2`](https://github.com/npm/npm/commit/8c120ebb28e87bc6fe08a3fad1bb87b50026a33a) Fix integrity matching to eliminate spurious EINTEGRITY errors. ([@zkat](https://github.com/zkat)) * [`94227e15e`](https://github.com/npm/npm/commit/94227e15eeced836b3d7b3d2b5e5cc41d4959cff) More consistently make directories using perm and ownership preserving features. ([@iarna](https://github.com/iarna)) ### DEPENDENCY UPDATES * [`364b23c7f`](https://github.com/npm/npm/commit/364b23c7f8a231c0df3866d6a8bde4d3f37bbc00) [`f2049f9e7`](https://github.com/npm/npm/commit/f2049f9e7992e6edcfce8619b59746789367150f) `cacache@10.0.4` ([@zkat](https://github.com/zkat)) * [`d183d7675`](https://github.com/npm/npm/commit/d183d76757e8a29d63a999d7fb4edcc1486c25c1) `find-npm-prefix@1.0.2`: ([@iarna](https://github.com/iarna)) * [`ffd6ea62c`](https://github.com/npm/npm/commit/ffd6ea62ce583baff38cf4901cf599639bc193c8) `fs-minipass@1.2.5` * [`ee63b8a31`](https://github.com/npm/npm/commit/ee63b8a311ac53b0cf2efa79babe61a2c4083ef6) `ini@1.3.5` ([@isaacs](https://github.com/isaacs)) * [`6f73f5509`](https://github.com/npm/npm/commit/6f73f5509e9e8d606526565c7ceb71c62642466e) `JSONStream@1.3.2` ([@dominictarr](https://github.com/dominictarr)) * [`26cd64869`](https://github.com/npm/npm/commit/26cd648697c1324979289e381fe837f9837f3874) [`9bc6230cf`](https://github.com/npm/npm/commit/9bc6230cf34a09b7e4358145ff0ac3c69c23c3f6) `libcipm@1.3.3` ([@zkat](https://github.com/zkat)) * [`21a39be42`](https://github.com/npm/npm/commit/21a39be4241a60a898d11a5967f3fc9868ef70c9) `marked@0.3.1`:5 ([@joshbruce](https://github.com/joshbruce)) * [`dabdf57b2`](https://github.com/npm/npm/commit/dabdf57b2d60d665728894b4c1397b35aa9d41c0) `mississippi@2.0.0` * [`2594c5867`](https://github.com/npm/npm/commit/2594c586723023edb1db172779afb2cbf8b30c08) `npm-registry-couchapp@2.7.1` ([@iarna](https://github.com/iarna)) * [`8abb3f230`](https://github.com/npm/npm/commit/8abb3f230f119fe054353e70cb26248fc05db0b9) `osenv@0.1.5` ([@isaacs](https://github.com/isaacs)) * [`11a0b00bd`](https://github.com/npm/npm/commit/11a0b00bd3c18625075dcdf4a5cb6500b33c6265) `pacote@7.3.3` ([@zkat](https://github.com/zkat)) * [`9b6bdb2c7`](https://github.com/npm/npm/commit/9b6bdb2c77e49f6d473e70de4cd83c58d7147965) `query-string@5.1.0` ([@sindresorhus](https://github.com/sindresorhus)) * [`d6d17d6b5`](https://github.com/npm/npm/commit/d6d17d6b532cf4c3461b1cf2e0404f7c62c47ec4) `readable-stream@2.3.4` ([@mcollina](https://github.com/mcollina)) * [`51370aad5`](https://github.com/npm/npm/commit/51370aad561b368ccc95c1c935c67c8cd2844d40) `semver@5.5.0` ([@isaacs](https://github.com/isaacs)) * [`0db14bac7`](https://github.com/npm/npm/commit/0db14bac762dd59c3fe17c20ee96d2426257cdd5) [`81da938ab`](https://github.com/npm/npm/commit/81da938ab6efb881123cdcb44f7f84551924c988) [`9999e83f8`](https://github.com/npm/npm/commit/9999e83f87c957113a12a6bf014a2099d720d716) `ssri@5.2.4` ([@zkat](https://github.com/zkat)) * [`f526992ab`](https://github.com/npm/npm/commit/f526992ab6f7322a0b3a8d460dc48a2aa4a59a33) `tap@11.1.1` ([@isaacs](https://github.com/isaacs)) * [`be096b409`](https://github.com/npm/npm/commit/be096b4090e2a33ae057912d28fadc5a53bd3391) [`dc3059522`](https://github.com/npm/npm/commit/dc3059522758470adc225f0651be72c274bd29ef) `tar@4.3.3` * [`6b552daac`](https://github.com/npm/npm/commit/6b552daac952f413ed0e2df762024ad219a8dc0a) `uuid@3.2.1` ([@broofa](https://github.com/broofa)) * [`8c9011b72`](https://github.com/npm/npm/commit/8c9011b724ad96060e7e82d9470e9cc3bb64e9c6) `worker-farm@1.5.2` ([@rvagg](https://github.com/rvagg)) ## v5.6.0 (2017-11-27): ### Features! You may have noticed this is a semver-minor bump. Wondering why? This is why! * [`bc263c3fd`](https://github.com/npm/npm/commit/bc263c3fde6ff4b04deee132d0a9d89379e28c27) [#19054](https://github.com/npm/npm/pull/19054) **Fully cross-platform `package-lock.json`**. Installing a failing optional dependency on one platform no longer removes it from the dependency tree, meaning that `package-lock.json` should now be generated consistently across platforms! 🎉 ([@iarna](https://github.com/iarna)) * [`f94fcbc50`](https://github.com/npm/npm/commit/f94fcbc50d8aec7350164df898d1e12a1e3da77f) [#19160](https://github.com/npm/npm/pull/19160) Add `--package-lock-only` config option. This makes it so you can generate a target `package-lock.json` without performing a full install of `node_modules`. ([@alopezsanchez](https://github.com/alopezsanchez)) * [`66d18280c`](https://github.com/npm/npm/commit/66d18280ca320f880f4377cf80a8052491bbccbe) [#19104](https://github.com/npm/npm/pull/19104) Add new `--node-options` config to pass through a custom `NODE_OPTIONS` for lifecycle scripts. ([@bmeck](https://github.com/bmeck)) * [`114d518c7`](https://github.com/npm/npm/commit/114d518c75732c42acbef3acab36ba1d0fd724e2) Ignore mtime when packing tarballs: This means that doing `npm pack` on the same repository should yield two tarballs with the same checksum. This will also help prevent cache bloat when using git dependencies. In the future, this will allow npm to explicitly cache git dependencies. ([@isaacs](https://github.com/isaacs)) ### Node 9 Previously, it turns out npm broke on the latest Node, `node@9`. We went ahead and fixed it up so y'all should be able to use the latest npm again! * [`4ca695819`](https://github.com/npm/npm/commit/4ca6958196ae41cef179473e3f7dbed9df9a32f1) `minizlib@1.0.4`: `Fix node@9` incompatibility. ([@isaacs](https://github.com/isaacs)) * [`c851bb503`](https://github.com/npm/npm/commit/c851bb503a756b7cd48d12ef0e12f39e6f30c577) `tar@4.0.2`: Fix `node@9` incompatibility. ([@isaacs](https://github.com/isaacs)) * [`6caf23096`](https://github.com/npm/npm/commit/6caf2309613d14ce77923ad3d1275cb89c6cf223) Remove "unsupported" warning for Node 9 now that things are fixed. ([@iarna](https://github.com/iarna)) * [`1930b0f8c`](https://github.com/npm/npm/commit/1930b0f8c44373301edc9fb6ccdf7efcb350fa42) Update test matrix with `node@8` LTS and `node@9`. ([@iarna](https://github.com/iarna)) ### Bug Fixes * [`b70321733`](https://github.com/npm/npm/commit/b7032173361665a12c9e4200bdc3f0eb4dee682f) [#18881](https://github.com/npm/npm/pull/18881) When dealing with a `node_modules` that was created with older versions of npm (and thus older versions of npa) we need to gracefully handle older spec entries. Failing to do so results in us treating those packages as if they were http remote deps, which results in invalid lock files with `version` set to tarball URLs. This should now be fixed. ([@iarna](https://github.com/iarna)) * [`2f9c5dd00`](https://github.com/npm/npm/commit/2f9c5dd0046a53ece3482e92a412413f5aed6955) [#18880](https://github.com/npm/npm/pull/18880) Stop overwriting version in package data on disk. This is another saf