Update npm to 2.x in Node 0.10

[mgol]

• Version: output of node -v

v0.10.43

• Platform: either uname -a output, or if Windows, version and 32-bit or
  64-bit

Darwin mgol-mbpro.local 15.3.0 Darwin Kernel Version 15.3.0: Thu Dec 10 18:40:58 PST 2015; root:xnu-3248.30.4~1/RELEASE_X86_64 x86_64

• Subsystem: optional. if known - please specify affected core module name

npm

Since 2-3 0.10.x versions the included npm 1.4.29 on each operation displays a message:

npm WARN deprecated This version of npm lacks support for important features,
npm WARN deprecated such as scoped packages, offered by the primary npm
npm WARN deprecated registry. Consider upgrading to at least npm@2, if not the
npm WARN deprecated latest stable version. To upgrade to npm@2, run:
npm WARN deprecated 
npm WARN deprecated   npm -g install npm@latest-2
npm WARN deprecated 
npm WARN deprecated To upgrade to the latest stable version, run:
npm WARN deprecated 
npm WARN deprecated   npm -g install npm@latest
npm WARN deprecated 
npm WARN deprecated (Depending on how Node.js was installed on your system, you
npm WARN deprecated may need to prefix the preceding commands with `sudo`, or if
npm WARN deprecated on Windows, run them from an Administrator prompt.)
npm WARN deprecated 
npm WARN deprecated If you're running the version of npm bundled with
npm WARN deprecated Node.js 0.10 LTS, be aware that the next version of 0.10 LTS
npm WARN deprecated will be bundled with a version of npm@2, which has some small
npm WARN deprecated backwards-incompatible changes made to `npm run-script` and
npm WARN deprecated semver behavior.
/Users/mgol/.nvm/v0.10.43/bin/npm -> /Users/mgol/.nvm/v0.10.43/lib/node_modules/npm/bin/npm-cli.js
npm@2.14.21 /Users/mgol/.nvm/v0.10.43/lib/node_modules/npm

The message claims that the next version of 0.10 will include the upgrade to npm 2; however, there have already been a few versions displaying this message so without the promised update.

cc @othiym23

[MylesBorins]

/cc @nodejs/lts

The update to 1.4.29 happened about 4 months ago when we were still figuring out the support system we were going to use for LTS releases.

At the current moment 0.10 is in Maintenance mode and will be receiving only critical bugs fixes and critical security fixes as mentioned in our lts guide

0.10 is scheduled to end Maintenance in October of this year.

At this point I think it is fairly safe to assume that any changes to npm would fall outside of the current support offered for v0.10. It is unfortunate that the message output by npm is not in line with the current plan... but I doubt we would do any updates to npm on v0.10 again.

I'm going to leave this open for a couple days so people can chime in, but will likely close this as a wont-fix Monday or Tuesday unless there are others from @nodejs/lts who feel otherwise

[mgol]

I see, thanks for the explanation. In that case changing this message so that it doesn't lie might be considered a bug fix but since it's not security-related I'd understand if you don't want to land it (OTH, changing it would be trivial ;)).

[MylesBorins]

@mgol It is pretty unfortunate to have the wrong messaging... but fixing that would require a new npm release, and for that npm release to be downstreamed to v0.10

I don't think it is likely to happen

edit: I was wrong 😄

[mgol]

If you don't plan future npm updates, you can change it in the Node repo as
in the ol' io.js times. ;)

Michał Gołębiowski

[ChALkeR]

Related: #3639.

[mgol]

@ChALkeR The PR linked was released in Node 0.10.41 on Dec 4, 2015, over a month after Node 5.0.0 was released. I thought LTS rules were already established then?

[ChALkeR]

I guess we should /cc @nodejs/lts and @othiym23 for that.

[rvagg]

ping @nodejs/npm, I've also been asking for an update on 0.12 which has an older v2

Do we have a doc somewhere on how to properly do this upgrade ourselves without messing things up? I've not been brave enough to dive in there but would really like to be able to get both 0.10 and 0.12 updated.

[mgol]

Yeah, looking at the 1.4.29 PR & related discussions, while npm@2 contains minor breaking changes it also contains security fixes; npm@1 may e.g. leak user credentials on publish which is serious. I think it might be treated as a security fix with minor, unavoidable, breaking changes.

It'd be good to avoid the Node 0.8 fiasco where an old npm was never upgraded after all, leaving users with a broken & vulnerable copy.

[MylesBorins]

@rvagg thanks for clarifying. @mgol sorry for being off base, glad to see this is being considered. I'm going to add this to the LTS agenda so that it gets discussed in the next LTS meeting

[othiym23]

Say the word and you'll have piping hot PRs containing the newest npm@lts stable releases for both 0.10 and 0.12. I would love to get everyone off npm@1, as the npm CLI team no longer has the resources to support it.

[Fishrock123]

The message claims that the next version of 0.10 will include the upgrade to npm 2; however, there have already been a few versions displaying this message so without the promised update.

OOoooops

Do we have a doc somewhere on how to properly do this upgrade ourselves without messing things up? I've not been brave enough to dive in there but would really like to be able to get both 0.10 and 0.12 updated.

@rvagg It's documented on the npm wiki, and I've done it before. (I forget when, a while ago)

I think the best way to go about this is to have npm PRs and then create RCs. cc @nodejs/npm if it's not a bother, would you mind doing the PRs?

Whether you do official releases before or not is up to you. I am ok having an RC for testing first before having an official npm release of 1.x if that is more favorable.

[ChALkeR]

@Fishrock123

I am ok having an RC for testing first before having an official npm release of 1.x if that is more favorable.

Am I missing something? Why would we need one more npm release in 1.x branch?

[othiym23]

Sure, @Fishrock123, I'll assemble those PRs today. To be clear, though, those are both using npm@lts (i.e. 2.14.x) as their versions, right?

[Fishrock123]

Doh. @othiym23 yes, I was in error.

[ChALkeR]

Node.js v0.10.44 is out with npm v2.15.1.