npm/cli

NEW FEATURES

• 6e9f04b0b npm/cli#8 Search for authentication token defined by environment variables by preventing the translation layer from env variable to npm option from breaking :_authToken. (@mkhl)
• 84bfd23e7 npm/cli#35 Stop filtering out non-IPv4 addresses from local-addrs, making npm actually use IPv6 addresses when it must. (@valentin2105)
• 792c8c709 npm/cli#31 configurable audit level for non-zero exit npm audit currently exits with exit code 1 if any vulnerabilities are found of any level. Add a flag of --audit-level to npm audit to allow it to pass if only vulnerabilities below a certain level are found. Example: npm audit --audit-level=high will exit with 0 if only low or moderate level vulns are detected. (@lennym)

BUGFIXES

• d81146181 npm/cli#32 Don't check for updates to npm when we are updating npm itself. (@olore)

DEPENDENCY UPDATES

A very special dependency update event! Since the release of node-gyp@3.8.0, an awkward version conflict that was preventing request from begin flattened was resolved. This means two things:

1. We've cut down the npm tarball size by another 200kb, to 4.6MB
2. npm audit now shows no vulnerabilities for npm itself!

Thanks, @rvagg!

• 866d776c2 request@2.87.0 (@simov)
• f861c2b57 node-gyp@3.8.0 (@rvagg)
• 32e6947c6 npm/cli#39 colors@1.1.2: REVERT REVERT, newer versions of this library are broken and print ansi codes even when disabled. (@iarna)
• beb96b92c libcipm@2.0.1 (@zkat)
• 348fc91ad validate-npm-package-license@3.0.4: Fixes errors with empty or string-only license fields. (@Gudahtt)
• e57d34575 iferr@1.0.2 (@shesek)
• 46f1c6ad4 tar@4.4.6 (@isaacs)
• 50df1bf69 hosted-git-info@2.7.1 (@iarna)
  (@Erveon) (@huochunpeng)

DOCUMENTATION

• af98e76ed npm/cli#34 Remove npm publish from list of commands not affected by --dry-run. (@joebowbeer)
• e2b0f0921 npm/cli#36 Tweak formatting in repository field examples. (@noahbenham)
• e2346e770 npm/cli#14 Used process.env examples to make accessing certain npm run-scripts environment variables more clear. (@mwarger)

This is basically the same as the prerelease, but two dependencies have been bumped due to bugs that had been around for a while.

• 0a22be42e figgy-pudding@3.2.0 (@zkat)
• 0096f6997 cacache@11.1.0 (@zkat)

In case you missed it, we moved!. We look forward to seeing future PRs landing in npm/cli in the future, and we'll be chatting with you all in npm.community. Go check it out!

This final release of npm@6.2.0 includes a couple of features that weren't quite ready on time but that we'd still like to include. Enjoy!

FEATURES

• 244b18380 #20554 add support for --parseable output (@luislobo)
• 7984206e2 #12697 Add new sign-git-commit config to control whether the git commit itself gets signed, or just the tag (which is the default). (@tribou)

FIXES

• 4c32413a5 #19418 Do not use SET to fetch the env in git-bash or Cygwin. (@gucong3000)

DEPENDENCY BUMPS

• d9b2712a6 request@2.81.0: Downgraded to allow better deduplication. This does introduce a bunch of hoek-related audit reports, but they don't affect npm itself so we consider it safe. We'll upgrade request again once node-gyp unpins it. (@simov)
• 2ac48f863 node-gyp@3.7.0 (@MylesBorins)
• 8dc6d7640 cli-table3@0.5.0: cli-table2 is unmaintained and required lodash. With this dependency bump, we've removed lodash from our tree, which cut back tarball size by another 300kb. (@Turbo87)
• 90c759fee npm-audit-report@1.3.1 (@zkat)
• 4231a0a1e Add cli-table3 to bundleDeps. (@iarna)
• 322d9c2f1 Make standard happy. (@iarna)

DOCS

• 5724983ea #21165 Fix some markdown formatting in npm-disputes.md. (@hchiam)
• 738178315 #20920 Explicitly state that republishing an unpublished package requires a 72h waiting period. (@gmattie)
• f0a372b07 Replace references to the old repo or issue tracker. We're at npm/cli now! (@zkat)