v5.1.0
Hey y'all~
We've got some goodies for you here, including npm@5
's first semver-minor release! This version includes a huge number of fixes, particularly for some of the critical bugs users were running into after upgrading npm. You should overall see a much more stable experience, and we're going to continue hacking on fixes for the time being. Semver-major releases, specially for tools like npm, are bound to cause some instability, and getting npm@5
stable is the CLI team's top priority for now!
Not that bugfixes are the only things that landed, either: between improvements that fell out of the bugfixes, and some really cool work by community members like @mikesherov, npm@5.1.0
is twice as fast as npm@5.0.0
in some benchmarks. We're not stopping there, either: you can expect a steady stream of speed improvements over the course of the year. It's not top priority, but we'll keep doing what we can to make sure npm saves its users as much time as possible.
Hang on to your seats. At 100 commits, this release is a bit of a doozy. 😎
FEATURES
Semver-minor releases, of course, mean that there's a new feature somewhere, right? Here's what's bumping that number for us this time:
a09c1a69d
#16687 Allow customizing the shell used to executerun-script
s. (@mmkal)4f45ba222
a48958598
901bef0e1
#17508 Add a newrequires
field topackage-lock.json
with information about the logical dependency tree. This includes references to the specific version each package is intended to see, and can be used for many things, such as convertingpackage-lock.json
to other lockfile formats, various optimizations, and verifying correctness of a package tree. (@iarna)47e8fc8eb
#17508 Makenpm ls
take package locks (and shrinkwraps) into account. This meansnpm ls
can now be used to see which dependencies are missing, so long as a package lock has been previously generated with it in. (@iarna)f0075e7ca
#17508 Takepackage.json
changes into account when running installs -- if you remove or add a dependency topackage.json
manually, npm will now pick that up and update your tree and package lock accordingly. (@iarna)83a5455aa
#17205 Addnpm udpate
as an alias fornpm update
, for symmetry withinstall
/isntall
. (@gdassori)57225d394
#17120 npm will no longer warn aboutpreferGlobal
, and the option is now deprecated. (@zkat)82df7bb16
#17351 As some of you may already knownpm build
doesn't do what a lot of people expect: It's mainly an npm plumbing command, and is part of the more familiarnpm rebuild
command. That said, a lot of users assume that this is the way to run an npmrun-script
namedbuild
, which is an incredibly common script name to use. To clarify things for users, and encourage them to usenpm run build
instead, npm will now warn ifnpm build
is run without any arguments. (@lennym)
PERFORMANCE
59f86ef90
43be9d222
e906cdd98
#16633 npm now parallelizes tarball extraction across multiple child process workers. This can significantly speed up installations, specially when installing from cache, and will improve with number of processors. (@zkat)e0849878d
#17441 Avoid building environment for empty lifecycle scripts. This change alone accounted for as much as a 15% speed boost for npm installations by outright skipping entire steps of the installer when not needed. (@mikesherov)265c2544c
npm/hosted-git-info#24hosted-git-info@2.5.0
: Add caching tofromURL
, which gets called many, many times by the installer. This improved installation performance by around 10% on realistic application repositories. (@mikesherov)901d26cb
npm/read-package-json#20read-package-json@2.0.9
: Speed up installs by as much as 20% by reintroducing a previously-removed cache and making it actually be correct this time around. (@mikesherov)44e37045d
EliminateBluebird.promisifyAll
from our codebase. (@iarna)3b4681b53
#17508 Stop callingaddBundle
on locked deps, speeding up thepackage-lock.json
-based fast path. (@iarna)
BUGFIXES
- #17508 This is a big PR that fixes a variety of issues when installing from package locks. If you were previously having issues with missing dependencies or unwanted removals, this might have fixed it (@iarna):
- It introduces a new
package-lock.json
field, calledrequires
, which tracks which modules a given module requires. - It fixes #16839 which was caused by not having this information available, particularly when git dependencies were involved.
- It fixes #16866, allowing the
package.json
to trump thepackage-lock.json
. npm ls
now loads the shrinkwrap, which opens the door to showing a full tree of dependencies even when nothing is yet installed. (It doesn't do that yet though.)
- It introduces a new
656544c31
d21ab57c3
#16637 Fix some cases wherenpm prune
was leaving some dependencies unpruned if to-be-pruned dependencies depended on them. (@exogen)394436b09
#17552 Makerefresh-package-json
re-verify the package platform. This fixes an issue most notably experienced by Windows users usingcreate-react-app
wherefsevents
would not short-circuit and cause a crash during its otherwise-skipped native build phase. (@zkat)9e5a94354
#17590 Fix an issue wherenpm@5
would crash when trying to remove packages installed withnpm@<5
. (@iarna)c3b586aaf
#17141 Don't update the package.json when modifying packages that don't go there. This was previously causingpackage.json
to get a"false": {}
field added. (@iarna)d04a23de2
4a5b360d5
d9e53db48
pacote@2.7.38
(@colinrotherham, @zkat, @mcibique):- zkat/pacote#102 Fix issue with tar extraction and special characters.
- Enable loose semver parsing in some missing corner cases.
e2f815f87
#17104 Write an empty str and wait for flush to exit to reduce issues with npm exiting before all output is complete when it's a child process. (@zkat)835fcec60
#17060 Make git repos with prepare scripts always install with both dev and prod flags. (@intellix)f1dc8a175
#16879 Fix support foralways-auth
and_auth
. They are now both available in both unscoped and registry-scoped configurations. (@jozemlakar)ddd8a1ca2
Serialize package specs to prevent[object Object]
showing up in logs during extraction. (@zkat)99ef3b52c
#17505 Stop trying to commit updatednpm-shrinkwrap.json
andpackage-lock.json
if they're.gitignore
d. (@zkat)58be2ec59
Make sure uid and gid are getting correctly set even when they're0
. This should fix some Docker-related issues with bad permissions/broken ownership. (@rgrove)
(@zkat)9d1e3b6fa
#17506 Skip writing package.json and locks if on-disk version is identical to the new one. (@zkat)3fc6477a8
#17592 Fix an issue wherenpm install -g .
on a package with noname
field would cause the entire globalnode_modules
directory to be replaced with a symlink to$CWD
. lol. (@iarna)06ba0a14a
#17591 Fix spurious removal reporting: if you tried to remove something that didn't actually exist, npm would tell you it removed 1 package even though there wasothing to do. (@iarna)20ff05f8
#17629 When removing a link, keep dependencies installed inside of it instead of removing them, if the link is outside the scope of the current project. This fixes an issue where removing globally-linked packages would remove all their dependencies in the source directory, as well as some ergonomic issues when using links in other situations. (@iarna)
DOCS
fd5fab595
#16441 Add spec fornpm-shrinkwrap.json
andpackage-lock.json
from RFC. (@iarna)9589c1ccb
#17451 Fix typo in changelog. (@watilde)f8e76d856
#17370 Correct the default prefix config path for Windows operating systems in the documentation for npm folders. (@kierendixon)d0f3b5a12
#17369 Fixnpm-config
reference touserconfig
&globalconfig
environment variables. (@racztiborzoltan)87629880a
#17336 Remove note in docs aboutprepublish
being entirely removed. (@Hirse)a1058afd9
#17169 Document--no-package-lock
flag. (@leggsimon)32fc6e41a
#17250 Fix a typo in the shrinkwrap docs. (@Zarel)f19bd3c8c
#17249 Fix a package-lock.json cross-reference link. (@not-an-aardvark)153245edc
#17075 Fix a typo innpm-config
docs. (@KennethKinLum)c9b534a14
#17074 Clarify config documention with multiple boolean flags. (@KennethKinLum)e111b0a40
#16768 Document the-l
option tonpm config list
. (@happylynx)5a803ebad
#16548 Fix permissions for documentation files. Some of them had+x
set. (???) (@metux)d57d4f48c
#17319 Document that the--silent
option fornpm run-script
can be used to suppressnpm ERR!
output on errors. (@styfle)
MISC
Not all contributions need to be visible features, docs, or bugfixes! It's super helpful when community members go over our code and help clean it up, too!