Release/v7.0.8

AUTHORS

@@ -727,3 +727,6 @@ Jake Champion <me@jakechampion.name>
 takenspc <taken.spc@gmail.com>
 iraj <irajtaghlidi@gmail.com>
 Michele Azzolari <michele@azzolari.it>
+foxxyz <foxxyz@gmail.com>
+Dr <dr@dr.run>
+Jan Tojnar <jtojnar@gmail.com>

CHANGELOG.md

@@ -1,3 +1,59 @@
+## 7.0.8 (2020-11-03)
+
+### DOCUMENTATION
+
+* [`052e977b9`](https://github.com/npm/cli/commit/052e977b9d071e1b3654976881d10cd3ddcba788)
+  [#1822](https://github.com/npm/cli/issues/1822)
+  [#1247](https://github.com/npm/cli/issues/1247)
+  add section on peerDependenciesMeta field in package.json
+  ([@foxxyz](https://github.com/foxxyz))
+* [`52d32d175`](https://github.com/npm/cli/commit/52d32d1758c5ebc58944a1e8d98d57e30048e527)
+  [#1970](https://github.com/npm/cli/issues/1970)
+  match npm-exec.md -p usage with lib/exec.js
+  ([@dr-js](https://github.com/dr-js))
+* [`48ee8d01e`](https://github.com/npm/cli/commit/48ee8d01edd11ed6186c483e1169ff4d2070b963)
+  [#2096](https://github.com/npm/cli/issues/2096)
+  Fix RFC links in changelog
+  ([@jtojnar](https://github.com/jtojnar))
+
+
+### BUG FIXES
+
+* [`6cd3cd08a`](https://github.com/npm/cli/commit/6cd3cd08af56445e13757cac3af87f3e7d54ed27)
+  Support *all* conf keys in publishConfig
+* [`a1f9be8a7`](https://github.com/npm/cli/commit/a1f9be8a7f9b7a3a813fc3e5e705bc982470b0e2)
+  [#2074](https://github.com/npm/cli/issues/2074)
+  Support publishing any kind of spec, not just directories
+
+### DEPENDENCIES
+
+* [`545382df6`](https://github.com/npm/cli/commit/545382df62e3014f3e51d7034e52498fb2b01a37)
+  `libnpmpublish@4.0.0`:
+    * Support publishing things other than folders
+* [`7d88f1719`](https://github.com/npm/cli/commit/7d88f17197e3c8cca9b277378d6f9b054b1b7886)
+  `npm-registry-fetch@9.0.0`
+* [`823b40a4e`](https://github.com/npm/cli/commit/823b40a4e9c6ef76388af6fe01a3624f6f7675be)
+  `pacote@11.1.12`
+* [`90bf57826`](https://github.com/npm/cli/commit/90bf57826edf2f78ddf8deb0793115ead8a8b556)
+  `npm-profile@5.0.2`
+* [`e5a413577`](https://github.com/npm/cli/commit/e5a4135770d13cf114fac439167637181f87d824)
+  `libnpmteam@2.0.2`
+* [`fc5aa7b4a`](https://github.com/npm/cli/commit/fc5aa7b4ad45cb65893f734e1229a6720f7966e5)
+  `libnpmsearch@3.0.1`
+* [`9fc1dee13`](https://github.com/npm/cli/commit/9fc1dee138ca33ecdbd57e63142b27c60cf88f9b)
+  `libnpmorg@2.0.1`
+* [`0ea870ec5`](https://github.com/npm/cli/commit/0ea870ec5d2be1d44f050ad8bc24ed936cc45fde)
+  `libnpmhook@6.0.1`
+* [`32fd744ea`](https://github.com/npm/cli/commit/32fd744ea745f297f0be79a80955f077a57c4ac7)
+  `libnpmaccess@4.0.1`
+* [`fc76f3d9f`](https://github.com/npm/cli/commit/fc76f3d9fcf19e65a9373ab3d9068c4326d2f782)
+  `@npmcli/arborist@1.0.8`
+    * Fix `cannot read property 'description' of undefined` in `npm ls`
+      when `package-lock.json` is corrupted
+    * Do not allow peerDependencies to be nested under dependents in any
+      circumstances
+    * Always resolve peerDependencies in `--prefer-dedupe` mode
+
 ## 7.0.7 (2020-10-30)
 
 ### BUG FIXES
@@ -602,7 +658,7 @@
   sources ([@ruyadorno](https://github.com/ruyadorno))
 * [`3a63ecb6f`](https://github.com/npm/cli/commit/3a63ecb6f6a0b235660f73a3ffa329b1f131b0c3)
   [#1718](https://github.com/npm/cli/pull/1718)
-  [RFC-0029](https://github.com/npm/rfcs/blob/latest/accepted/0029-add-ability-to-skip-hooks.md)
+  [RFC-0029](https://github.com/npm/rfcs/blob/latest/implemented/0029-add-ability-to-skip-hooks.md)
   add ability to skip pre/post hooks to `npm run-script` by using
   `--ignore-scripts` ([@ruyadorno](https://github.com/ruyadorno))
 
@@ -829,7 +885,7 @@ Now on to the list of **BREAKING CHANGES**!
 ### Programmatic Usage
 
 - [RFC
-  20](https://github.com/npm/rfcs/blob/latest/accepted/0020-npm-option-handling.md)
+  20](https://github.com/npm/rfcs/blob/latest/implemented/0020-npm-option-handling.md)
   The CLI and its dependencies no longer use the `figgy-pudding` library
   for configs.  Configuration is done using a flat plain old JavaScript
   object.
@@ -859,7 +915,7 @@ The environment for lifecycle scripts (eg, build scripts, `npm test`, etc.)
 has changed.
 
 - [RFC
-  21](https://github.com/npm/rfcs/blob/latest/accepted/0021-reduce-lifecycle-script-environment.md)
+  21](https://github.com/npm/rfcs/blob/latest/implemented/0021-reduce-lifecycle-script-environment.md)
   Environment no longer includes `npm_package_*` fields, or `npm_config_*`
   fields for default configs.  `npm_package_json`, `npm_package_integrity`,
   `npm_package_resolved`, and `npm_command` environment variables added.
@@ -868,13 +924,13 @@ has changed.
     release](https://github.com/npm/rfcs/pull/183))
 
 - [RFC
-  22](https://github.com/npm/rfcs/blob/latest/accepted/0022-quieter-install-scripts.md)
+  22](https://github.com/npm/rfcs/blob/latest/implemented/0022-quieter-install-scripts.md)
   Scripts run during the normal course of installation are silenced unless
   they exit in error (ie, with a signal or non-zero exit status code), and
   are for a non-optional dependency.
 
 - [RFC
-  24](https://github.com/npm/rfcs/blob/latest/accepted/0024-npm-run-traverse-directory-tree.md)
+  24](https://github.com/npm/rfcs/blob/latest/implemented/0024-npm-run-traverse-directory-tree.md)
   `PATH` environment variable includes all `node_modules/.bin` folders,
   even if found outside of an existing `node_modules` folder hierarchy.
 
@@ -924,7 +980,7 @@ We do intend to continue supporting the `npx` that npm ships; just not the
 ### Files On Disk
 
 - [RFC
-  13](https://github.com/npm/rfcs/blob/latest/accepted/0013-no-package-json-_fields.md)
+  13](https://github.com/npm/rfcs/blob/latest/implemented/0013-no-package-json-_fields.md)
   Installed `package.json` files no longer are mutated to include extra
   metadata.  (This extra metadata is stored in the lockfile.)
 - `package-lock.json` is updated to a newer format, using
@@ -940,7 +996,7 @@ These changes affect `install`, `ci`, `install-test`, `install-ci-test`,
 `update`, `prune`, `dedupe`, `uninstall`, `link`, and `audit fix`.
 
 - [RFC
-  25](https://github.com/npm/rfcs/blob/latest/accepted/0025-install-peer-deps.md)
+  25](https://github.com/npm/rfcs/blob/latest/implemented/0025-install-peer-deps.md)
   `peerDependencies` are installed by default.  This behavior can be
   disabled by setting the `legacy-peer-deps` configuration flag.
 
@@ -951,7 +1007,7 @@ These changes affect `install`, `ci`, `install-test`, `install-ci-test`,
     of correctness.  Use the `--legacy-peer-deps` config flag if impacted.
 
 - [RFC
-  23](https://github.com/npm/rfcs/blob/latest/accepted/0023-acceptDependencies.md)
+  23](https://github.com/npm/rfcs/blob/latest/implemented/0023-acceptDependencies.md)
   Support for `acceptDependencies` is added.  This can result in dependency
   resolutions that previous versions of npm will incorrectly flag as invalid.
 
@@ -973,23 +1029,23 @@ These changes affect `install`, `ci`, `install-test`, `install-ci-test`,
 ### Workspaces
 
 - [RFC
-  26](https://github.com/npm/rfcs/blob/latest/accepted/0026-workspaces.md)
+  26](https://github.com/npm/rfcs/blob/latest/implemented/0026-workspaces.md)
   First phase of `workspaces` support is added.  This changes npm's
   behavior when a root project's `package.json` file contains a
   `workspaces` field.
 
 ### `npm update`
 
 - [RFC
-  19](https://github.com/npm/rfcs/blob/latest/accepted/0019-remove-update-depth-option.md)
+  19](https://github.com/npm/rfcs/blob/latest/implemented/0019-remove-update-depth-option.md)
   Update all dependencies when `npm update` is run without any arguments.
   As it is no longer relevant, `--depth` config flag removed from `npm
   update`.
 
 ### `npm outdated`
 
 - [RFC
-  27](https://github.com/npm/rfcs/blob/latest/accepted/0027-remove-depth-outdated.md)
+  27](https://github.com/npm/rfcs/blob/latest/implemented/0027-remove-depth-outdated.md)
   Remove `--depth` config from `npm outdated`.  Only top-level dependencies
   are shown, unless `--all` config option is set.
 

docs/content/commands/npm-exec.md

@@ -30,9 +30,9 @@ This command allows you to run an arbitrary command from an npm package
 (either one installed locally, or fetched remotely), in a similar context
 as running it via `npm run`.
 
-Whatever packages are specified by the `--package` or `-p` option will be
+Whatever packages are specified by the `--package` option will be
 provided in the `PATH` of the executed command, along with any locally
-installed package executables.  The `--package` or `-p` option may be
+installed package executables.  The `--package` option may be
 specified multiple times, to execute the supplied command in an environment
 where all specified packages are available.
 
@@ -48,7 +48,7 @@ only be considered a match if they have the exact same name and version as
 the local dependency.
 
 If no `-c` or `--call` option is provided, then the positional arguments
-are used to generate the command string.  If no `-p` or `--package` options
+are used to generate the command string.  If no `--package` options
 are provided, then npm will attempt to determine the executable name from
 the package specifier provided as the first positional argument according
 to the following heuristic:

docs/content/configuring-npm/package-json.md

@@ -716,6 +716,30 @@ the host package's major version will break your plugin. Thus, if you've worked
 with every 1.x version of the host package, use `"^1.0"` or `"1.x"` to express
 this. If you depend on features introduced in 1.5.2, use `">= 1.5.2 < 2"`.
 
+### peerDependenciesMeta
+
+When a user installs your package, npm will emit warnings if packages specified in `peerDependencies` are not already installed. The `peerDependenciesMeta` field serves to provide npm more information on how your peer dependencies are to be used. Specifically, it allows peer dependencies to be marked as optional.
+
+For example:
+
+```json
+{
+  "name": "tea-latte",
+  "version": "1.3.5",
+  "peerDependencies": {
+    "tea": "2.x",
+    "soy-milk": "1.2"
+  },
+  "peerDependenciesMeta": {
+    "soy-milk": {
+      "optional": true
+    }
+  }
+}
+```
+
+Marking a peer dependency as optional ensures npm will not emit a warning if the `soy-milk` package is not installed on the host. This allows you to integrate and interact with a variety of host packages without requiring all of them to be installed.
+
 ### bundledDependencies
 
 This defines an array of package names that will be bundled when publishing

lib/publish.js

@@ -6,12 +6,17 @@ const semver = require('semver')
 const pack = require('libnpmpack')
 const libpub = require('libnpmpublish').publish
 const runScript = require('@npmcli/run-script')
+const pacote = require('pacote')
+const npa = require('npm-package-arg')
 
 const npm = require('./npm.js')
 const output = require('./utils/output.js')
 const otplease = require('./utils/otplease.js')
 const { getContents, logTar } = require('./utils/tar.js')
 
+// this is the only case in the CLI where we use the old full slow
+// 'read-package-json' module, because we want to pull in all the
+// defaults and metadata, like git sha's and default scripts and all that.
 const readJson = util.promisify(require('read-package-json'))
 
 const completion = require('./utils/completion/none.js')
@@ -46,47 +51,75 @@ const publish = async args => {
   return tarball
 }
 
+// if it's a directory, read it from the file system
+// otherwise, get the full metadata from whatever it is
+const getManifest = (spec, opts) =>
+  spec.type === 'directory' ? readJson(`${spec.fetchSpec}/package.json`)
+  : pacote.manifest(spec, { ...opts, fullMetadata: true })
+
+// for historical reasons, publishConfig in package.json can contain
+// ANY config keys that npm supports in .npmrc files and elsewhere.
+// We *may* want to revisit this at some point, and have a minimal set
+// that's a SemVer-major change that ought to get a RFC written on it.
+const { flatten } = require('./utils/flat-options.js')
+const publishConfigToOpts = publishConfig =>
+  // create a new object that inherits from the config stack
+  // then squash the css-case into camelCase opts, like we do
+  flatten(Object.assign(Object.create(npm.config.list[0]), publishConfig))
+
 const publish_ = async (arg, opts) => {
   const { unicode, dryRun, json } = opts
-  let manifest = await readJson(`${arg}/package.json`)
-
-  // prepublishOnly
-  await runScript({
-    event: 'prepublishOnly',
-    path: arg,
-    stdio: 'inherit',
-    pkg: manifest,
-  })
+  // you can publish name@version, ./foo.tgz, etc.
+  // even though the default is the 'file:.' cwd.
+  const spec = npa(arg)
+  const manifest = await getManifest(spec, opts)
+
+  if (manifest.publishConfig)
+    Object.assign(opts, publishConfigToOpts(manifest.publishConfig))
+
+  // only run scripts for directory type publishes
+  if (spec.type === 'directory') {
+    await runScript({
+      event: 'prepublishOnly',
+      path: spec.fetchSpec,
+      stdio: 'inherit',
+      pkg: manifest,
+    })
+  }
 
-  const tarballData = await pack(arg)
+  const tarballData = await pack(spec, opts)
   const pkgContents = await getContents(manifest, tarballData)
 
+  // note that logTar calls npmlog.notice(), so if we ARE in silent mode,
+  // this will do nothing, but we still want it in the debuglog if it fails.
   if (!json)
     logTar(pkgContents, { log, unicode })
 
   if (!dryRun) {
     // The purpose of re-reading the manifest is in case it changed,
     // so that we send the latest and greatest thing to the registry
-    manifest = await readJson(`${arg}/package.json`)
-    const { publishConfig } = manifest
-    await otplease(opts, opts => libpub(arg, manifest, { ...opts, publishConfig }))
+    // note that publishConfig might have changed as well!
+    const manifest = await getManifest(spec, opts)
+    if (manifest.publishConfig)
+      Object.assign(opts, publishConfigToOpts(manifest.publishConfig))
+    await otplease(opts, opts => libpub(manifest, tarballData, opts))
   }
 
-  // publish
-  await runScript({
-    event: 'publish',
-    path: arg,
-    stdio: 'inherit',
-    pkg: manifest,
-  })
-
-  // postpublish
-  await runScript({
-    event: 'postpublish',
-    path: arg,
-    stdio: 'inherit',
-    pkg: manifest,
-  })
+  if (spec.type === 'directory') {
+    await runScript({
+      event: 'publish',
+      path: spec.fetchSpec,
+      stdio: 'inherit',
+      pkg: manifest,
+    })
+
+    await runScript({
+      event: 'postpublish',
+      path: spec.fetchSpec,
+      stdio: 'inherit',
+      pkg: manifest,
+    })
+  }
 
   return pkgContents
 }