npm install with '--no-registry' throws error #5509

Open
subesokun opened this Issue Jun 19, 2014 · 16 comments

Comments

Projects
None yet
10 participants
@subesokun

I'm trying to offline install packages from my cache but recently the trick with --no-registry stopped working for me. Below you'll find the npm-debug.log of my attempt to install Grunt from cache.

What is the current recommended way to offline install packages from the cache? If I omit the --no-registry flag and just simply use --cache-min 999999 is NPM still trying to ping the registry?

As others mentioned already in the issue #2568 I would see also a value in replacing --no-registry --cache-min 999999 by a simple and intuitive --offline flag.

npm-debug.log

0 info it worked if it ends with ok
1 verbose cli [ 'node',
1 verbose cli   '/usr/bin/npm',
1 verbose cli   'install',
1 verbose cli   '--no-registry',
1 verbose cli   '--cache-min',
1 verbose cli   '999999',
1 verbose cli   'grunt' ]
2 info using npm@1.4.16
3 info using node@v0.10.28
4 verbose node symlink /usr/bin/node
5 warn package.json test@0.0.0 No description
6 warn package.json test@0.0.0 No repository field.
7 warn package.json test@0.0.0 No README data
8 verbose readDependencies using package.json deps
9 verbose cache add [ 'grunt', null ]
10 verbose cache add name=undefined spec="grunt" args=["grunt",null]
11 verbose parsed url { protocol: null,
11 verbose parsed url   slashes: null,
11 verbose parsed url   auth: null,
11 verbose parsed url   host: null,
11 verbose parsed url   port: null,
11 verbose parsed url   hostname: null,
11 verbose parsed url   hash: null,
11 verbose parsed url   search: null,
11 verbose parsed url   query: null,
11 verbose parsed url   pathname: 'grunt',
11 verbose parsed url   path: 'grunt',
11 verbose parsed url   href: 'grunt' }
12 silly lockFile 20ff3fd8-grunt grunt
13 verbose lock grunt /home/xubuntu/.npm/20ff3fd8-grunt.lock
14 silly lockFile 20ff3fd8-grunt grunt
15 silly lockFile 20ff3fd8-grunt grunt
16 verbose addNamed [ 'grunt', '' ]
17 verbose addNamed [ null, '*' ]
18 silly lockFile 55f1ff24-grunt grunt@
19 verbose lock grunt@ /home/xubuntu/.npm/55f1ff24-grunt.lock
20 silly addNameRange { name: 'grunt', range: '*', hasData: false }
21 error TypeError: Parameter 'url' must be a string, not object
21 error     at Url.parse (url.js:107:11)
21 error     at urlParse (url.js:101:5)
21 error     at Object.urlResolve [as resolve] (url.js:411:10)
21 error     at addNameRange (/usr/lib/node_modules/npm/lib/cache/add-named.js:200:17)
21 error     at /usr/lib/node_modules/npm/lib/cache/add-named.js:47:5
21 error     at /usr/lib/node_modules/npm/lib/utils/locker.js:30:7
21 error     at /usr/lib/node_modules/npm/node_modules/lockfile/lockfile.js:143:23
21 error     at /usr/lib/node_modules/npm/node_modules/lockfile/lockfile.js:143:23
21 error     at /usr/lib/node_modules/npm/node_modules/lockfile/lockfile.js:143:23
21 error     at /usr/lib/node_modules/npm/node_modules/lockfile/lockfile.js:143:23
22 error If you need help, you may report this *entire* log,
22 error including the npm and node versions, at:
22 error     <http://github.com/npm/npm/issues>
23 error System Linux 3.13.0-24-generic
24 error command "node" "/usr/bin/npm" "install" "--no-registry" "--cache-min" "999999" "grunt"
25 error cwd /home/xubuntu/test
26 error node -v v0.10.28
27 error npm -v 1.4.16
28 verbose exit [ 1, true ]

Thanks a lot in advance.

@subesokun

This comment has been minimized.

Show comment Hide comment
@subesokun

subesokun Jun 30, 2014

Sorry to ask again but still in the latest version 1.4.18 I see this error. As it blocks me from updating NPM to the latest version this issue is very critical to me. Is there any fix or alternative ways planned to install packages offline from the cache?

Sorry to ask again but still in the latest version 1.4.18 I see this error. As it blocks me from updating NPM to the latest version this issue is very critical to me. Is there any fix or alternative ways planned to install packages offline from the cache?

@herebebeasties

This comment has been minimized.

Show comment Hide comment
@herebebeasties

herebebeasties Jul 16, 2014

We have an air-gapped network that I'm trying to bring npm up on and we're running into this.

We have an air-gapped network that I'm trying to bring npm up on and we're running into this.

@philiptzou philiptzou referenced this issue in tsuru/tsuru-deb Jul 18, 2014

Closed

Where is nodejs_0.10.26.3.orig.tar.gz? #9

@kkaempf

This comment has been minimized.

Show comment Hide comment
@kkaempf

kkaempf Jul 30, 2014

This also hits me. npm still tries to access the network when running with --cache-min 999999 only. Adding --no-registry causes this issue.

node -v v0.10.29
npm -v 1.4.14 (bundled with node 0.10.29)

kkaempf commented Jul 30, 2014

This also hits me. npm still tries to access the network when running with --cache-min 999999 only. Adding --no-registry causes this issue.

node -v v0.10.29
npm -v 1.4.14 (bundled with node 0.10.29)

@jamesfry

This comment has been minimized.

Show comment Hide comment
@jamesfry

jamesfry Jul 31, 2014

I also have issues with --no-registry. I'm being hit with this exact error with with 1.4.21 manually installed, and a slightly different issue with 1.4.14 bundled.

After a bit of superficial digging around, the latest issue might be caused by 626c3e4?

I also have issues with --no-registry. I'm being hit with this exact error with with 1.4.21 manually installed, and a slightly different issue with 1.4.14 bundled.

After a bit of superficial digging around, the latest issue might be caused by 626c3e4?

@kkaempf

This comment has been minimized.

Show comment Hide comment
@kkaempf

kkaempf Jul 31, 2014

@jamesfry no, this commit is not part of npm 1.4.14

kkaempf commented Jul 31, 2014

@jamesfry no, this commit is not part of npm 1.4.14

@jamesfry

This comment has been minimized.

Show comment Hide comment
@jamesfry

jamesfry Jul 31, 2014

Apologies, I didn't express myself properly. I meant to say I'm getting this issue with 1.4.21 (as in exactly the same trace as the original ticket message for 1.4.16 which does include the commit I referenced).

On 1.4.14 I also have problems with --no-registry, but have a different error:

npm ERR! TypeError: Cannot call method 'replace' of null
npm ERR!     at cf (c:\Program Files\nodejs\node_modules\npm\node_modules\npm-cache-filename\index.js:11:18)
npm ERR!     at RegClient.get (c:\Program Files\nodejs\node_modules\npm\node_modules\npm-registry-client\lib\get.js:24:20)
npm ERR!     at addNameRange (c:\Program Files\nodejs\node_modules\npm\lib\cache\add-named.js:198:12)
npm ERR!     at c:\Program Files\nodejs\node_modules\npm\lib\cache\add-named.js:47:5
npm ERR!     at c:\Program Files\nodejs\node_modules\npm\lib\utils\locker.js:30:7
npm ERR!     at c:\Program Files\nodejs\node_modules\npm\node_modules\lockfile\lockfile.js:143:23
npm ERR!     at c:\Program Files\nodejs\node_modules\npm\node_modules\lockfile\lockfile.js:161:16
npm ERR!     at c:\Program Files\nodejs\node_modules\npm\node_modules\graceful-fs\graceful-fs.js:105:5
npm ERR!     at Object.oncomplete (fs.js:107:15)
npm ERR! If you need help, you may report this *entire* log,
npm ERR! including the npm and node versions, at:
npm ERR!     <http://github.com/npm/npm/issues>

npm ERR! System Windows_NT 6.1.7601
npm ERR! command "c:\\Program Files\\nodejs\\node.exe" "c:\\Program Files\\nodejs\\node_modules\\npm\\bin\\npm-cli.js" "install" "jq
uery" "--no-registry" "--cache" "../npm-cache"
npm ERR! cwd d:\foo
npm ERR! node -v v0.10.29
npm ERR! npm -v 1.4.14
npm ERR! type non_object_property_call
npm ERR!
npm ERR! Additional logging details can be found in:
npm ERR!     d:\foo\npm-debug.log
npm ERR! not ok code 0

Apologies, I didn't express myself properly. I meant to say I'm getting this issue with 1.4.21 (as in exactly the same trace as the original ticket message for 1.4.16 which does include the commit I referenced).

On 1.4.14 I also have problems with --no-registry, but have a different error:

npm ERR! TypeError: Cannot call method 'replace' of null
npm ERR!     at cf (c:\Program Files\nodejs\node_modules\npm\node_modules\npm-cache-filename\index.js:11:18)
npm ERR!     at RegClient.get (c:\Program Files\nodejs\node_modules\npm\node_modules\npm-registry-client\lib\get.js:24:20)
npm ERR!     at addNameRange (c:\Program Files\nodejs\node_modules\npm\lib\cache\add-named.js:198:12)
npm ERR!     at c:\Program Files\nodejs\node_modules\npm\lib\cache\add-named.js:47:5
npm ERR!     at c:\Program Files\nodejs\node_modules\npm\lib\utils\locker.js:30:7
npm ERR!     at c:\Program Files\nodejs\node_modules\npm\node_modules\lockfile\lockfile.js:143:23
npm ERR!     at c:\Program Files\nodejs\node_modules\npm\node_modules\lockfile\lockfile.js:161:16
npm ERR!     at c:\Program Files\nodejs\node_modules\npm\node_modules\graceful-fs\graceful-fs.js:105:5
npm ERR!     at Object.oncomplete (fs.js:107:15)
npm ERR! If you need help, you may report this *entire* log,
npm ERR! including the npm and node versions, at:
npm ERR!     <http://github.com/npm/npm/issues>

npm ERR! System Windows_NT 6.1.7601
npm ERR! command "c:\\Program Files\\nodejs\\node.exe" "c:\\Program Files\\nodejs\\node_modules\\npm\\bin\\npm-cli.js" "install" "jq
uery" "--no-registry" "--cache" "../npm-cache"
npm ERR! cwd d:\foo
npm ERR! node -v v0.10.29
npm ERR! npm -v 1.4.14
npm ERR! type non_object_property_call
npm ERR!
npm ERR! Additional logging details can be found in:
npm ERR!     d:\foo\npm-debug.log
npm ERR! not ok code 0
@goblind

This comment has been minimized.

Show comment Hide comment
@goblind

goblind Aug 28, 2014

I'm on 1.4.23 and this is still happening.
Using --cache-min 99999 and removing --no-registry solved the problem though.

goblind commented Aug 28, 2014

I'm on 1.4.23 and this is still happening.
Using --cache-min 99999 and removing --no-registry solved the problem though.

@stevenvachon

This comment has been minimized.

Show comment Hide comment
@stevenvachon

stevenvachon Sep 4, 2014

Getting this 'url' must be a string error as well. Using npm v1.4.25

Getting this 'url' must be a string error as well. Using npm v1.4.25

@othiym23 othiym23 added this to the cache rewrite milestone Sep 21, 2014

@othiym23 othiym23 added the bug label Sep 21, 2014

@kkaempf

This comment has been minimized.

Show comment Hide comment
@kkaempf

kkaempf Sep 30, 2014

Updated to npm 2.0.0, still running into this issue

kkaempf commented Sep 30, 2014

Updated to npm 2.0.0, still running into this issue

@othiym23

This comment has been minimized.

Show comment Hide comment
@othiym23

othiym23 Sep 30, 2014

Contributor

That's why the issue is still open. Waiting on me to have time to get the cache rewrite finished.

Contributor

othiym23 commented Sep 30, 2014

That's why the issue is still open. Waiting on me to have time to get the cache rewrite finished.

@subesokun

This comment has been minimized.

Show comment Hide comment
@subesokun

subesokun Oct 2, 2014

@othiym23 Great, thanks a lot for adding a milestone to this bug! Looking forward to it :)

@othiym23 Great, thanks a lot for adding a milestone to this bug! Looking forward to it :)

@ralberts

This comment has been minimized.

Show comment Hide comment
@ralberts

ralberts Mar 30, 2015

@herebebeasties I am curious - what solution did you end up going with to solve your problem?

@herebebeasties I am curious - what solution did you end up going with to solve your problem?

@herebebeasties

This comment has been minimized.

Show comment Hide comment
@herebebeasties

herebebeasties Mar 30, 2015

@ralberts I, err, wrote my own NPM registry implementation (we have some slightly odd air-gapped security requirements and ultimately after investigating things like npmbox it just seemed easiest). You may be able to achieve something similar with https://github.com/hughsk/npm-offline

@ralberts I, err, wrote my own NPM registry implementation (we have some slightly odd air-gapped security requirements and ultimately after investigating things like npmbox it just seemed easiest). You may be able to achieve something similar with https://github.com/hughsk/npm-offline

@ralberts

This comment has been minimized.

Show comment Hide comment
@ralberts

ralberts Mar 31, 2015

@herebebeasties Thanks for your reply! I have the same requirements. I was trying to use https://github.com/davglass/registry-static but it seems that while the project is offline, during the install (npm install) some modules have an install.js that needs to download binaries, github projects, etc from the internet. Does the npm-offline fix this problem? Or did you find another way around it?

@herebebeasties Thanks for your reply! I have the same requirements. I was trying to use https://github.com/davglass/registry-static but it seems that while the project is offline, during the install (npm install) some modules have an install.js that needs to download binaries, github projects, etc from the internet. Does the npm-offline fix this problem? Or did you find another way around it?

@herebebeasties

This comment has been minimized.

Show comment Hide comment
@herebebeasties

herebebeasties Mar 31, 2015

@ralberts I found that bootstrapping the process was far harder than it should be. Stuff like Sinopia has a lot of dependencies and seem to assume you will be able to at least install it on a connected machine via npm install, which wasn't an option for me with a totally air-gapped set-up. Additionally, an amazing number of people seem to think it's fine to have dependencies that point at github, or random tgz files on bitbucket, etc.

npmbox is specifically designed for totally offline stuff. It won't solve the random tgz dependencies issue, but npm-offline has far fewer dependencies than registry-static, so you may well be able to get that to work. That looks like a good option, but if that fails then you can do a file mirror with the npm-mirror package. Install that on a connected machine and use it to create a directory tree, then just serve it up with Apache (you will need to tweak your web server config to serve the index.json files from directory roots like index.html).

I found that npm-mirror isn't a great option for longer-term use, as it's hard to maintain the list of packages, gradually takes longer and longer to run, and you really need something like rsync to keep the connected machine's directories in sync with your internal server (otherwise you end up transferring the whole repository each time). That may or may not be an option for you. Even if it is, updating your repo piecemeal is painful, as the top-level index.json files (e.g. at http://server/react/index.json) need to contain metadata for all the available versions, so you have to feed npm-mirror absolutely all the packages you've ever used on every version, every time you run it. This is why I ended up writing my own server (in C#, actually) which generates this top-level package metadata JSON directly from the available package tgz files. Needless to say, that's sadly behind the air-gapped network too, so I'm afraid I can't open source it.

Note that I do use npmbox to grab all the dependencies transitively. For direct-linked-URL dependencies, I'm planning to rewrite the URLs in the package.json files on the fly when they are served, to point them at a local internal server instead. Not quite got around to that yet.

I hope all that is helpful for you (or someone else).

@ralberts I found that bootstrapping the process was far harder than it should be. Stuff like Sinopia has a lot of dependencies and seem to assume you will be able to at least install it on a connected machine via npm install, which wasn't an option for me with a totally air-gapped set-up. Additionally, an amazing number of people seem to think it's fine to have dependencies that point at github, or random tgz files on bitbucket, etc.

npmbox is specifically designed for totally offline stuff. It won't solve the random tgz dependencies issue, but npm-offline has far fewer dependencies than registry-static, so you may well be able to get that to work. That looks like a good option, but if that fails then you can do a file mirror with the npm-mirror package. Install that on a connected machine and use it to create a directory tree, then just serve it up with Apache (you will need to tweak your web server config to serve the index.json files from directory roots like index.html).

I found that npm-mirror isn't a great option for longer-term use, as it's hard to maintain the list of packages, gradually takes longer and longer to run, and you really need something like rsync to keep the connected machine's directories in sync with your internal server (otherwise you end up transferring the whole repository each time). That may or may not be an option for you. Even if it is, updating your repo piecemeal is painful, as the top-level index.json files (e.g. at http://server/react/index.json) need to contain metadata for all the available versions, so you have to feed npm-mirror absolutely all the packages you've ever used on every version, every time you run it. This is why I ended up writing my own server (in C#, actually) which generates this top-level package metadata JSON directly from the available package tgz files. Needless to say, that's sadly behind the air-gapped network too, so I'm afraid I can't open source it.

Note that I do use npmbox to grab all the dependencies transitively. For direct-linked-URL dependencies, I'm planning to rewrite the URLs in the package.json files on the fly when they are served, to point them at a local internal server instead. Not quite got around to that yet.

I hope all that is helpful for you (or someone else).

@shuninghuang

This comment has been minimized.

Show comment Hide comment
@shuninghuang

shuninghuang Jun 9, 2015

@herebebeasties I am also using npmbox, but how can I install npmbox offline? npm install --global --cache ./.npmbox.cache --optional --cache-min 99999 --shrinkwrap false npmbox makes no difference

@herebebeasties I am also using npmbox, but how can I install npmbox offline? npm install --global --cache ./.npmbox.cache --optional --cache-min 99999 --shrinkwrap false npmbox makes no difference

bendaaron pushed a commit to bendaaron/meta-oe-dev that referenced this issue Jul 17, 2015

nodejs: fix no-registry option
* npm/npm#3691
* npm/npm#5509

Signed-off-by: Martin Jansa <martin.jansa@lge.com>

@srse srse referenced this issue in strongloop/strong-pm Mar 21, 2017

Open

npm tarballs - Offline Deployments from .cache #395

zkat added a commit that referenced this issue Apr 17, 2017

feat(cache): rewrite package fetching and caching on top of pacote
Fixes: #2568
Fixes: #2649
Fixes: #3141
Fixes: #4042
Fixes: #4652
Fixes: #5357
Fixes: #5509
Fixes: #5622
Fixes: #5941

All fetching-related networking is now done through pacote, and
the old cache has been entirely replaced by a cacache-based one.

Features:

* npm now supports a variety of hash algorithms for tarball storage. On registries that support it, npm is able to use sha512sum for verification.

* An `integrity` field has been added to `npm-shrinkwrap.json`.

* Package integrity will be fully verified on both cache insert and extraction -- if npm installs something, it's going to be exactly what you downloaded, byte-for-byte, or it will fail.

* If `npm-shrinkwrap.json` is used, npm will bypass checking package manifests and go straight to the tarball, fetching it by content address if locally cached.

* Checksum integrity failures will now retry downloading on error, instead of failing on a single check.

* A new npm command, `npm cache verify`, can now be used to verify and garbage collect your local cache.

* npm now supports arbitrarily large tarball downloads: tarballs will no longer be loaded entirely into memory before extraction.

* packages whose names only differ in casing, and packages from different sources/registries/etc will now correctly be cached separately from each other.

* Some performance improvements.

* Improved fetch retry logic will try harder to download your packages.

BREAKING CHANGE: many shrinkwrap and cache-related things have changed.

* Previously-created caches will no longer be used. They will be left in place, but data will need to be re-cached. There is no facility for rebuilding a cache based on an existing one.

* `npm cache ls` has been removed for now

* `npm cache rm` now always removes the entire cache. There is no granular removal available for now.

* git dependencies can now use semver resolution using `#semver:^1.2.3`

* `--cache-min` and `--cache-max` have been deprecated. Use `--offline`, `--prefer-offline`, and `--prefer-online instead. `--cache-min=9999+` and `--cache-max=0` have been aliased to `--prefer-offline` and `--prefer-online`, respectively.

* npm will now obey HTTP caching headers sent from registries and other remote HTTP hosts, and will use standard HTTP caching rules for its local cache.

* `prepublishOnly` now runs *before* packing the tarball.

* npm no longer supports node@<4.

zkat added a commit that referenced this issue Apr 18, 2017

feat(cache): rewrite package fetching and caching on top of pacote
Fixes: #2568
Fixes: #2649
Fixes: #3141
Fixes: #4042
Fixes: #4652
Fixes: #5357
Fixes: #5509
Fixes: #5622
Fixes: #5941

All fetching-related networking is now done through pacote, and
the old cache has been entirely replaced by a cacache-based one.

Features:

* npm now supports a variety of hash algorithms for tarball storage. On registries that support it, npm is able to use sha512sum for verification.

* An `integrity` field has been added to `npm-shrinkwrap.json`.

* Package integrity will be fully verified on both cache insert and extraction -- if npm installs something, it's going to be exactly what you downloaded, byte-for-byte, or it will fail.

* If `npm-shrinkwrap.json` is used, npm will bypass checking package manifests and go straight to the tarball, fetching it by content address if locally cached.

* Checksum integrity failures will now retry downloading on error, instead of failing on a single check.

* A new npm command, `npm cache verify`, can now be used to verify and garbage collect your local cache.

* npm now supports arbitrarily large tarball downloads: tarballs will no longer be loaded entirely into memory before extraction.

* packages whose names only differ in casing, and packages from different sources/registries/etc will now correctly be cached separately from each other.

* Some performance improvements.

* Improved fetch retry logic will try harder to download your packages.

BREAKING CHANGE: many shrinkwrap and cache-related things have changed.

* Previously-created caches will no longer be used. They will be left in place, but data will need to be re-cached. There is no facility for rebuilding a cache based on an existing one.

* `npm cache ls` has been removed for now

* `npm cache rm` now always removes the entire cache. There is no granular removal available for now.

* git dependencies can now use semver resolution using `#semver:^1.2.3`

* `--cache-min` and `--cache-max` have been deprecated. Use `--offline`, `--prefer-offline`, and `--prefer-online instead. `--cache-min=9999+` and `--cache-max=0` have been aliased to `--prefer-offline` and `--prefer-online`, respectively.

* npm will now obey HTTP caching headers sent from registries and other remote HTTP hosts, and will use standard HTTP caching rules for its local cache.

* `prepublishOnly` now runs *before* packing the tarball.

* npm no longer supports node@<4.

zkat added a commit that referenced this issue Apr 18, 2017

feat(cache): rewrite package fetching and caching on top of pacote
Fixes: #2568
Fixes: #2649
Fixes: #3141
Fixes: #4042
Fixes: #4652
Fixes: #5357
Fixes: #5509
Fixes: #5622
Fixes: #5941

All fetching-related networking is now done through pacote, and
the old cache has been entirely replaced by a cacache-based one.

Features:

* npm now supports a variety of hash algorithms for tarball storage. On registries that support it, npm is able to use sha512sum for verification.

* An `integrity` field has been added to `npm-shrinkwrap.json`.

* Package integrity will be fully verified on both cache insert and extraction -- if npm installs something, it's going to be exactly what you downloaded, byte-for-byte, or it will fail.

* If `npm-shrinkwrap.json` is used, npm will bypass checking package manifests and go straight to the tarball, fetching it by content address if locally cached.

* Checksum integrity failures will now retry downloading on error, instead of failing on a single check.

* A new npm command, `npm cache verify`, can now be used to verify and garbage collect your local cache.

* npm now supports arbitrarily large tarball downloads: tarballs will no longer be loaded entirely into memory before extraction.

* packages whose names only differ in casing, and packages from different sources/registries/etc will now correctly be cached separately from each other.

* Some performance improvements.

* Improved fetch retry logic will try harder to download your packages.

BREAKING CHANGE: many shrinkwrap and cache-related things have changed.

* Previously-created caches will no longer be used. They will be left in place, but data will need to be re-cached. There is no facility for rebuilding a cache based on an existing one.

* `npm cache ls` has been removed for now

* `npm cache rm` now always removes the entire cache. There is no granular removal available for now.

* git dependencies can now use semver resolution using `#semver:^1.2.3`

* `--cache-min` and `--cache-max` have been deprecated. Use `--offline`, `--prefer-offline`, and `--prefer-online instead. `--cache-min=9999+` and `--cache-max=0` have been aliased to `--prefer-offline` and `--prefer-online`, respectively.

* npm will now obey HTTP caching headers sent from registries and other remote HTTP hosts, and will use standard HTTP caching rules for its local cache.

* `prepublishOnly` now runs *before* packing the tarball.

* npm no longer supports node@<4.

zkat added a commit that referenced this issue Apr 18, 2017

feat(cache): rewrite package fetching and caching on top of pacote
Fixes: #2568
Fixes: #2649
Fixes: #3141
Fixes: #4042
Fixes: #4652
Fixes: #5357
Fixes: #5509
Fixes: #5622
Fixes: #5941

All fetching-related networking is now done through pacote, and
the old cache has been entirely replaced by a cacache-based one.

Features:

* npm now supports a variety of hash algorithms for tarball storage. On registries that support it, npm is able to use sha512sum for verification.

* An `integrity` field has been added to `npm-shrinkwrap.json`.

* Package integrity will be fully verified on both cache insert and extraction -- if npm installs something, it's going to be exactly what you downloaded, byte-for-byte, or it will fail.

* If `npm-shrinkwrap.json` is used, npm will bypass checking package manifests and go straight to the tarball, fetching it by content address if locally cached.

* Checksum integrity failures will now retry downloading on error, instead of failing on a single check.

* A new npm command, `npm cache verify`, can now be used to verify and garbage collect your local cache.

* npm now supports arbitrarily large tarball downloads: tarballs will no longer be loaded entirely into memory before extraction.

* packages whose names only differ in casing, and packages from different sources/registries/etc will now correctly be cached separately from each other.

* Some performance improvements.

* Improved fetch retry logic will try harder to download your packages.

BREAKING CHANGE: many shrinkwrap and cache-related things have changed.

* Previously-created caches will no longer be used. They will be left in place, but data will need to be re-cached. There is no facility for rebuilding a cache based on an existing one.

* `npm cache ls` has been removed for now

* `npm cache rm` now always removes the entire cache. There is no granular removal available for now.

* git dependencies can now use semver resolution using `#semver:^1.2.3`

* `--cache-min` and `--cache-max` have been deprecated. Use `--offline`, `--prefer-offline`, and `--prefer-online instead. `--cache-min=9999+` and `--cache-max=0` have been aliased to `--prefer-offline` and `--prefer-online`, respectively.

* npm will now obey HTTP caching headers sent from registries and other remote HTTP hosts, and will use standard HTTP caching rules for its local cache.

* `prepublishOnly` now runs *before* packing the tarball.

* npm no longer supports node@<4.

zkat added a commit that referenced this issue Apr 18, 2017

feat(cache): rewrite package fetching and caching on top of pacote
Fixes: #2568
Fixes: #2649
Fixes: #3141
Fixes: #4042
Fixes: #4652
Fixes: #5357
Fixes: #5509
Fixes: #5622
Fixes: #5941

All fetching-related networking is now done through pacote, and
the old cache has been entirely replaced by a cacache-based one.

Features:

* npm now supports a variety of hash algorithms for tarball storage. On registries that support it, npm is able to use sha512sum for verification.

* An `integrity` field has been added to `npm-shrinkwrap.json`.

* Package integrity will be fully verified on both cache insert and extraction -- if npm installs something, it's going to be exactly what you downloaded, byte-for-byte, or it will fail.

* If `npm-shrinkwrap.json` is used, npm will bypass checking package manifests and go straight to the tarball, fetching it by content address if locally cached.

* Checksum integrity failures will now retry downloading on error, instead of failing on a single check.

* A new npm command, `npm cache verify`, can now be used to verify and garbage collect your local cache.

* npm now supports arbitrarily large tarball downloads: tarballs will no longer be loaded entirely into memory before extraction.

* packages whose names only differ in casing, and packages from different sources/registries/etc will now correctly be cached separately from each other.

* Some performance improvements.

* Improved fetch retry logic will try harder to download your packages.

BREAKING CHANGE: many shrinkwrap and cache-related things have changed.

* Previously-created caches will no longer be used. They will be left in place, but data will need to be re-cached. There is no facility for rebuilding a cache based on an existing one.

* `npm cache ls` has been removed for now

* `npm cache rm` now always removes the entire cache. There is no granular removal available for now.

* git dependencies can now use semver resolution using `#semver:^1.2.3`

* `--cache-min` and `--cache-max` have been deprecated. Use `--offline`, `--prefer-offline`, and `--prefer-online instead. `--cache-min=9999+` and `--cache-max=0` have been aliased to `--prefer-offline` and `--prefer-online`, respectively.

* npm will now obey HTTP caching headers sent from registries and other remote HTTP hosts, and will use standard HTTP caching rules for its local cache.

* `prepublishOnly` now runs *before* packing the tarball.

* npm no longer supports node@<4.

zkat added a commit that referenced this issue Apr 19, 2017

feat(cache): rewrite package fetching and caching on top of pacote
Fixes: #2568
Fixes: #2649
Fixes: #3141
Fixes: #4042
Fixes: #4652
Fixes: #5357
Fixes: #5509
Fixes: #5622
Fixes: #5941

All fetching-related networking is now done through pacote, and
the old cache has been entirely replaced by a cacache-based one.

Features:

* npm now supports a variety of hash algorithms for tarball storage. On registries that support it, npm is able to use sha512sum for verification.

* An `integrity` field has been added to `npm-shrinkwrap.json`.

* Package integrity will be fully verified on both cache insert and extraction -- if npm installs something, it's going to be exactly what you downloaded, byte-for-byte, or it will fail.

* If `npm-shrinkwrap.json` is used, npm will bypass checking package manifests and go straight to the tarball, fetching it by content address if locally cached.

* Checksum integrity failures will now retry downloading on error, instead of failing on a single check.

* A new npm command, `npm cache verify`, can now be used to verify and garbage collect your local cache.

* npm now supports arbitrarily large tarball downloads: tarballs will no longer be loaded entirely into memory before extraction.

* packages whose names only differ in casing, and packages from different sources/registries/etc will now correctly be cached separately from each other.

* Some performance improvements.

* Improved fetch retry logic will try harder to download your packages.

BREAKING CHANGE: many shrinkwrap and cache-related things have changed.

* Previously-created caches will no longer be used. They will be left in place, but data will need to be re-cached. There is no facility for rebuilding a cache based on an existing one.

* `npm cache ls` has been removed for now

* `npm cache rm` now always removes the entire cache. There is no granular removal available for now.

* git dependencies can now use semver resolution using `#semver:^1.2.3`

* `--cache-min` and `--cache-max` have been deprecated. Use `--offline`, `--prefer-offline`, and `--prefer-online instead. `--cache-min=9999+` and `--cache-max=0` have been aliased to `--prefer-offline` and `--prefer-online`, respectively.

* npm will now obey HTTP caching headers sent from registries and other remote HTTP hosts, and will use standard HTTP caching rules for its local cache.

* `prepublishOnly` now runs *before* packing the tarball.

* npm no longer supports node@<4.

zkat added a commit that referenced this issue Apr 19, 2017

feat(cache): rewrite package fetching and caching on top of pacote
Fixes: #2568
Fixes: #2649
Fixes: #3141
Fixes: #4042
Fixes: #4652
Fixes: #5357
Fixes: #5509
Fixes: #5622
Fixes: #5941

All fetching-related networking is now done through pacote, and
the old cache has been entirely replaced by a cacache-based one.

Features:

* npm now supports a variety of hash algorithms for tarball storage. On registries that support it, npm is able to use sha512sum for verification.

* An `integrity` field has been added to `npm-shrinkwrap.json`.

* Package integrity will be fully verified on both cache insert and extraction -- if npm installs something, it's going to be exactly what you downloaded, byte-for-byte, or it will fail.

* If `npm-shrinkwrap.json` is used, npm will bypass checking package manifests and go straight to the tarball, fetching it by content address if locally cached.

* Checksum integrity failures will now retry downloading on error, instead of failing on a single check.

* A new npm command, `npm cache verify`, can now be used to verify and garbage collect your local cache.

* npm now supports arbitrarily large tarball downloads: tarballs will no longer be loaded entirely into memory before extraction.

* packages whose names only differ in casing, and packages from different sources/registries/etc will now correctly be cached separately from each other.

* Some performance improvements.

* Improved fetch retry logic will try harder to download your packages.

BREAKING CHANGE: many shrinkwrap and cache-related things have changed.

* Previously-created caches will no longer be used. They will be left in place, but data will need to be re-cached. There is no facility for rebuilding a cache based on an existing one.

* `npm cache ls` has been removed for now

* `npm cache rm` now always removes the entire cache. There is no granular removal available for now.

* git dependencies can now use semver resolution using `#semver:^1.2.3`

* `--cache-min` and `--cache-max` have been deprecated. Use `--offline`, `--prefer-offline`, and `--prefer-online instead. `--cache-min=9999+` and `--cache-max=0` have been aliased to `--prefer-offline` and `--prefer-online`, respectively.

* npm will now obey HTTP caching headers sent from registries and other remote HTTP hosts, and will use standard HTTP caching rules for its local cache.

* `prepublishOnly` now runs *before* packing the tarball.

* npm no longer supports node@<4.

zkat added a commit that referenced this issue Apr 20, 2017

feat(cache): rewrite package fetching and caching on top of pacote
Fixes: #2568
Fixes: #2649
Fixes: #3141
Fixes: #4042
Fixes: #4652
Fixes: #5357
Fixes: #5509
Fixes: #5622
Fixes: #5941

All fetching-related networking is now done through pacote, and
the old cache has been entirely replaced by a cacache-based one.

Features:

* npm now supports a variety of hash algorithms for tarball storage. On registries that support it, npm is able to use sha512sum for verification.

* An `integrity` field has been added to `npm-shrinkwrap.json`.

* Package integrity will be fully verified on both cache insert and extraction -- if npm installs something, it's going to be exactly what you downloaded, byte-for-byte, or it will fail.

* If `npm-shrinkwrap.json` is used, npm will bypass checking package manifests and go straight to the tarball, fetching it by content address if locally cached.

* Checksum integrity failures will now retry downloading on error, instead of failing on a single check.

* A new npm command, `npm cache verify`, can now be used to verify and garbage collect your local cache.

* npm now supports arbitrarily large tarball downloads: tarballs will no longer be loaded entirely into memory before extraction.

* packages whose names only differ in casing, and packages from different sources/registries/etc will now correctly be cached separately from each other.

* Some performance improvements.

* Improved fetch retry logic will try harder to download your packages.

BREAKING CHANGE: many shrinkwrap and cache-related things have changed.

* Previously-created caches will no longer be used. They will be left in place, but data will need to be re-cached. There is no facility for rebuilding a cache based on an existing one.

* `npm cache ls` has been removed for now

* `npm cache rm` now always removes the entire cache. There is no granular removal available for now.

* git dependencies can now use semver resolution using `#semver:^1.2.3`

* `--cache-min` and `--cache-max` have been deprecated. Use `--offline`, `--prefer-offline`, and `--prefer-online instead. `--cache-min=9999+` and `--cache-max=0` have been aliased to `--prefer-offline` and `--prefer-online`, respectively.

* npm will now obey HTTP caching headers sent from registries and other remote HTTP hosts, and will use standard HTTP caching rules for its local cache.

* `prepublishOnly` now runs *before* packing the tarball.

* npm no longer supports node@<4.

zkat added a commit that referenced this issue Apr 20, 2017

feat(cache): rewrite package fetching and caching on top of pacote
Fixes: #2568
Fixes: #2649
Fixes: #3141
Fixes: #4042
Fixes: #4652
Fixes: #5357
Fixes: #5509
Fixes: #5622
Fixes: #5941

All fetching-related networking is now done through pacote, and
the old cache has been entirely replaced by a cacache-based one.

Features:

* npm now supports a variety of hash algorithms for tarball storage. On registries that support it, npm is able to use sha512sum for verification.

* An `integrity` field has been added to `npm-shrinkwrap.json`.

* Package integrity will be fully verified on both cache insert and extraction -- if npm installs something, it's going to be exactly what you downloaded, byte-for-byte, or it will fail.

* If `npm-shrinkwrap.json` is used, npm will bypass checking package manifests and go straight to the tarball, fetching it by content address if locally cached.

* Checksum integrity failures will now retry downloading on error, instead of failing on a single check.

* A new npm command, `npm cache verify`, can now be used to verify and garbage collect your local cache.

* npm now supports arbitrarily large tarball downloads: tarballs will no longer be loaded entirely into memory before extraction.

* packages whose names only differ in casing, and packages from different sources/registries/etc will now correctly be cached separately from each other.

* Some performance improvements.

* Improved fetch retry logic will try harder to download your packages.

BREAKING CHANGE: many shrinkwrap and cache-related things have changed.

* Previously-created caches will no longer be used. They will be left in place, but data will need to be re-cached. There is no facility for rebuilding a cache based on an existing one.

* `npm cache ls` has been removed for now

* `npm cache rm` now always removes the entire cache. There is no granular removal available for now.

* git dependencies can now use semver resolution using `#semver:^1.2.3`

* `--cache-min` and `--cache-max` have been deprecated. Use `--offline`, `--prefer-offline`, and `--prefer-online instead. `--cache-min=9999+` and `--cache-max=0` have been aliased to `--prefer-offline` and `--prefer-online`, respectively.

* npm will now obey HTTP caching headers sent from registries and other remote HTTP hosts, and will use standard HTTP caching rules for its local cache.

* `prepublishOnly` now runs *before* packing the tarball.

* npm no longer supports node@<4.

zkat added a commit that referenced this issue Apr 22, 2017

feat(cache): rewrite package fetching and caching on top of pacote
Fixes: #2568
Fixes: #2649
Fixes: #3141
Fixes: #4042
Fixes: #4652
Fixes: #5357
Fixes: #5509
Fixes: #5622
Fixes: #5941

All fetching-related networking is now done through pacote, and
the old cache has been entirely replaced by a cacache-based one.

Features:

* npm now supports a variety of hash algorithms for tarball storage. On registries that support it, npm is able to use sha512sum for verification.

* An `integrity` field has been added to `npm-shrinkwrap.json`.

* Package integrity will be fully verified on both cache insert and extraction -- if npm installs something, it's going to be exactly what you downloaded, byte-for-byte, or it will fail.

* If `npm-shrinkwrap.json` is used, npm will bypass checking package manifests and go straight to the tarball, fetching it by content address if locally cached.

* Checksum integrity failures will now retry downloading on error, instead of failing on a single check.

* A new npm command, `npm cache verify`, can now be used to verify and garbage collect your local cache.

* npm now supports arbitrarily large tarball downloads: tarballs will no longer be loaded entirely into memory before extraction.

* packages whose names only differ in casing, and packages from different sources/registries/etc will now correctly be cached separately from each other.

* Some performance improvements.

* Improved fetch retry logic will try harder to download your packages.

BREAKING CHANGE: many shrinkwrap and cache-related things have changed.

* Previously-created caches will no longer be used. They will be left in place, but data will need to be re-cached. There is no facility for rebuilding a cache based on an existing one.

* `npm cache ls` has been removed for now

* `npm cache rm` now always removes the entire cache. There is no granular removal available for now.

* git dependencies can now use semver resolution using `#semver:^1.2.3`

* `--cache-min` and `--cache-max` have been deprecated. Use `--offline`, `--prefer-offline`, and `--prefer-online instead. `--cache-min=9999+` and `--cache-max=0` have been aliased to `--prefer-offline` and `--prefer-online`, respectively.

* npm will now obey HTTP caching headers sent from registries and other remote HTTP hosts, and will use standard HTTP caching rules for its local cache.

* `prepublishOnly` now runs *before* packing the tarball.

* npm no longer supports node@<4.

zkat added a commit that referenced this issue Apr 22, 2017

feat(cache): rewrite package fetching and caching on top of pacote
Fixes: #2568
Fixes: #2649
Fixes: #3141
Fixes: #4042
Fixes: #4652
Fixes: #5357
Fixes: #5509
Fixes: #5622
Fixes: #5941

All fetching-related networking is now done through pacote, and
the old cache has been entirely replaced by a cacache-based one.

Features:

* npm now supports a variety of hash algorithms for tarball storage. On registries that support it, npm is able to use sha512sum for verification.

* An `integrity` field has been added to `npm-shrinkwrap.json`.

* Package integrity will be fully verified on both cache insert and extraction -- if npm installs something, it's going to be exactly what you downloaded, byte-for-byte, or it will fail.

* If `npm-shrinkwrap.json` is used, npm will bypass checking package manifests and go straight to the tarball, fetching it by content address if locally cached.

* Checksum integrity failures will now retry downloading on error, instead of failing on a single check.

* A new npm command, `npm cache verify`, can now be used to verify and garbage collect your local cache.

* npm now supports arbitrarily large tarball downloads: tarballs will no longer be loaded entirely into memory before extraction.

* packages whose names only differ in casing, and packages from different sources/registries/etc will now correctly be cached separately from each other.

* Some performance improvements.

* Improved fetch retry logic will try harder to download your packages.

BREAKING CHANGE: many shrinkwrap and cache-related things have changed.

* Previously-created caches will no longer be used. They will be left in place, but data will need to be re-cached. There is no facility for rebuilding a cache based on an existing one.

* `npm cache ls` has been removed for now

* `npm cache rm` now always removes the entire cache. There is no granular removal available for now.

* git dependencies can now use semver resolution using `#semver:^1.2.3`

* `--cache-min` and `--cache-max` have been deprecated. Use `--offline`, `--prefer-offline`, and `--prefer-online instead. `--cache-min=9999+` and `--cache-max=0` have been aliased to `--prefer-offline` and `--prefer-online`, respectively.

* npm will now obey HTTP caching headers sent from registries and other remote HTTP hosts, and will use standard HTTP caching rules for its local cache.

* `prepublishOnly` now runs *before* packing the tarball.

* npm no longer supports node@<4.

zkat added a commit that referenced this issue Apr 22, 2017

feat(cache): rewrite package fetching and caching on top of pacote
Fixes: #2568
Fixes: #2649
Fixes: #3141
Fixes: #4042
Fixes: #4652
Fixes: #5357
Fixes: #5509
Fixes: #5622
Fixes: #5941

All fetching-related networking is now done through pacote, and
the old cache has been entirely replaced by a cacache-based one.

Features:

* npm now supports a variety of hash algorithms for tarball storage. On registries that support it, npm is able to use sha512sum for verification.

* An `integrity` field has been added to `npm-shrinkwrap.json`.

* Package integrity will be fully verified on both cache insert and extraction -- if npm installs something, it's going to be exactly what you downloaded, byte-for-byte, or it will fail.

* If `npm-shrinkwrap.json` is used, npm will bypass checking package manifests and go straight to the tarball, fetching it by content address if locally cached.

* Checksum integrity failures will now retry downloading on error, instead of failing on a single check.

* A new npm command, `npm cache verify`, can now be used to verify and garbage collect your local cache.

* npm now supports arbitrarily large tarball downloads: tarballs will no longer be loaded entirely into memory before extraction.

* packages whose names only differ in casing, and packages from different sources/registries/etc will now correctly be cached separately from each other.

* Some performance improvements.

* Improved fetch retry logic will try harder to download your packages.

BREAKING CHANGE: many shrinkwrap and cache-related things have changed.

* Previously-created caches will no longer be used. They will be left in place, but data will need to be re-cached. There is no facility for rebuilding a cache based on an existing one.

* `npm cache ls` has been removed for now

* `npm cache rm` now always removes the entire cache. There is no granular removal available for now.

* git dependencies can now use semver resolution using `#semver:^1.2.3`

* `--cache-min` and `--cache-max` have been deprecated. Use `--offline`, `--prefer-offline`, and `--prefer-online instead. `--cache-min=9999+` and `--cache-max=0` have been aliased to `--prefer-offline` and `--prefer-online`, respectively.

* npm will now obey HTTP caching headers sent from registries and other remote HTTP hosts, and will use standard HTTP caching rules for its local cache.

* `prepublishOnly` now runs *before* packing the tarball.

* npm no longer supports node@<4.

zkat added a commit that referenced this issue Apr 22, 2017

feat(cache): rewrite package fetching and caching on top of pacote
Fixes: #2568
Fixes: #2649
Fixes: #3141
Fixes: #4042
Fixes: #4652
Fixes: #5357
Fixes: #5509
Fixes: #5622
Fixes: #5941

All fetching-related networking is now done through pacote, and
the old cache has been entirely replaced by a cacache-based one.

Features:

* npm now supports a variety of hash algorithms for tarball storage. On registries that support it, npm is able to use sha512sum for verification.

* An `integrity` field has been added to `npm-shrinkwrap.json`.

* Package integrity will be fully verified on both cache insert and extraction -- if npm installs something, it's going to be exactly what you downloaded, byte-for-byte, or it will fail.

* If `npm-shrinkwrap.json` is used, npm will bypass checking package manifests and go straight to the tarball, fetching it by content address if locally cached.

* Checksum integrity failures will now retry downloading on error, instead of failing on a single check.

* A new npm command, `npm cache verify`, can now be used to verify and garbage collect your local cache.

* npm now supports arbitrarily large tarball downloads: tarballs will no longer be loaded entirely into memory before extraction.

* packages whose names only differ in casing, and packages from different sources/registries/etc will now correctly be cached separately from each other.

* Some performance improvements.

* Improved fetch retry logic will try harder to download your packages.

BREAKING CHANGE: many shrinkwrap and cache-related things have changed.

* Previously-created caches will no longer be used. They will be left in place, but data will need to be re-cached. There is no facility for rebuilding a cache based on an existing one.

* `npm cache ls` has been removed for now

* `npm cache rm` now always removes the entire cache. There is no granular removal available for now.

* git dependencies can now use semver resolution using `#semver:^1.2.3`

* `--cache-min` and `--cache-max` have been deprecated. Use `--offline`, `--prefer-offline`, and `--prefer-online instead. `--cache-min=9999+` and `--cache-max=0` have been aliased to `--prefer-offline` and `--prefer-online`, respectively.

* npm will now obey HTTP caching headers sent from registries and other remote HTTP hosts, and will use standard HTTP caching rules for its local cache.

* `prepublishOnly` now runs *before* packing the tarball.

* npm no longer supports node@<4.

zkat added a commit that referenced this issue Apr 23, 2017

feat(cache): rewrite package fetching and caching on top of pacote
Fixes: #2568
Fixes: #2649
Fixes: #3141
Fixes: #4042
Fixes: #4652
Fixes: #5357
Fixes: #5509
Fixes: #5622
Fixes: #5941

All fetching-related networking is now done through pacote, and
the old cache has been entirely replaced by a cacache-based one.

Features:

* npm now supports a variety of hash algorithms for tarball storage. On registries that support it, npm is able to use sha512sum for verification.

* An `integrity` field has been added to `npm-shrinkwrap.json`.

* Package integrity will be fully verified on both cache insert and extraction -- if npm installs something, it's going to be exactly what you downloaded, byte-for-byte, or it will fail.

* If `npm-shrinkwrap.json` is used, npm will bypass checking package manifests and go straight to the tarball, fetching it by content address if locally cached.

* Checksum integrity failures will now retry downloading on error, instead of failing on a single check.

* A new npm command, `npm cache verify`, can now be used to verify and garbage collect your local cache.

* npm now supports arbitrarily large tarball downloads: tarballs will no longer be loaded entirely into memory before extraction.

* packages whose names only differ in casing, and packages from different sources/registries/etc will now correctly be cached separately from each other.

* Some performance improvements.

* Improved fetch retry logic will try harder to download your packages.

BREAKING CHANGE: many shrinkwrap and cache-related things have changed.

* Previously-created caches will no longer be used. They will be left in place, but data will need to be re-cached. There is no facility for rebuilding a cache based on an existing one.

* `npm cache ls` has been removed for now

* `npm cache rm` now always removes the entire cache. There is no granular removal available for now.

* git dependencies can now use semver resolution using `#semver:^1.2.3`

* `--cache-min` and `--cache-max` have been deprecated. Use `--offline`, `--prefer-offline`, and `--prefer-online instead. `--cache-min=9999+` and `--cache-max=0` have been aliased to `--prefer-offline` and `--prefer-online`, respectively.

* npm will now obey HTTP caching headers sent from registries and other remote HTTP hosts, and will use standard HTTP caching rules for its local cache.

* `prepublishOnly` now runs *before* packing the tarball.

* npm no longer supports node@<4.

zkat added a commit that referenced this issue Apr 26, 2017

feat(cache): rewrite package fetching and caching on top of pacote
Fixes: #2568
Fixes: #2649
Fixes: #3141
Fixes: #4042
Fixes: #4652
Fixes: #5357
Fixes: #5509
Fixes: #5622
Fixes: #5941

All fetching-related networking is now done through pacote, and
the old cache has been entirely replaced by a cacache-based one.

Features:

* npm now supports a variety of hash algorithms for tarball storage. On registries that support it, npm is able to use sha512sum for verification.

* An `integrity` field has been added to `npm-shrinkwrap.json`.

* Package integrity will be fully verified on both cache insert and extraction -- if npm installs something, it's going to be exactly what you downloaded, byte-for-byte, or it will fail.

* If `npm-shrinkwrap.json` is used, npm will bypass checking package manifests and go straight to the tarball, fetching it by content address if locally cached.

* Checksum integrity failures will now retry downloading on error, instead of failing on a single check.

* A new npm command, `npm cache verify`, can now be used to verify and garbage collect your local cache.

* npm now supports arbitrarily large tarball downloads: tarballs will no longer be loaded entirely into memory before extraction.

* packages whose names only differ in casing, and packages from different sources/registries/etc will now correctly be cached separately from each other.

* Some performance improvements.

* Improved fetch retry logic will try harder to download your packages.

BREAKING CHANGE: many shrinkwrap and cache-related things have changed.

* Previously-created caches will no longer be used. They will be left in place, but data will need to be re-cached. There is no facility for rebuilding a cache based on an existing one.

* `npm cache ls` has been removed for now

* `npm cache rm` now always removes the entire cache. There is no granular removal available for now.

* git dependencies can now use semver resolution using `#semver:^1.2.3`

* `--cache-min` and `--cache-max` have been deprecated. Use `--offline`, `--prefer-offline`, and `--prefer-online instead. `--cache-min=9999+` and `--cache-max=0` have been aliased to `--prefer-offline` and `--prefer-online`, respectively.

* npm will now obey HTTP caching headers sent from registries and other remote HTTP hosts, and will use standard HTTP caching rules for its local cache.

* `prepublishOnly` now runs *before* packing the tarball.

* npm no longer supports node@<4.

fix(doctor): updated doctor command and its tests

zkat added a commit that referenced this issue Apr 27, 2017

feat(cache): rewrite package fetching and caching on top of pacote
Fixes: #2568
Fixes: #2649
Fixes: #3141
Fixes: #4042
Fixes: #4652
Fixes: #5357
Fixes: #5509
Fixes: #5622
Fixes: #5941

All fetching-related networking is now done through pacote, and
the old cache has been entirely replaced by a cacache-based one.

Features:

* npm now supports a variety of hash algorithms for tarball storage. On registries that support it, npm is able to use sha512sum for verification.

* An `integrity` field has been added to `npm-shrinkwrap.json`.

* Package integrity will be fully verified on both cache insert and extraction -- if npm installs something, it's going to be exactly what you downloaded, byte-for-byte, or it will fail.

* If `npm-shrinkwrap.json` is used, npm will bypass checking package manifests and go straight to the tarball, fetching it by content address if locally cached.

* Checksum integrity failures will now retry downloading on error, instead of failing on a single check.

* A new npm command, `npm cache verify`, can now be used to verify and garbage collect your local cache.

* npm now supports arbitrarily large tarball downloads: tarballs will no longer be loaded entirely into memory before extraction.

* packages whose names only differ in casing, and packages from different sources/registries/etc will now correctly be cached separately from each other.

* Some performance improvements.

* Improved fetch retry logic will try harder to download your packages.

BREAKING CHANGE: many shrinkwrap and cache-related things have changed.

* Previously-created caches will no longer be used. They will be left in place, but data will need to be re-cached. There is no facility for rebuilding a cache based on an existing one.

* `npm cache ls` has been removed for now

* `npm cache rm` now always removes the entire cache. There is no granular removal available for now.

* git dependencies can now use semver resolution using `#semver:^1.2.3`

* `--cache-min` and `--cache-max` have been deprecated. Use `--offline`, `--prefer-offline`, and `--prefer-online instead. `--cache-min=9999+` and `--cache-max=0` have been aliased to `--prefer-offline` and `--prefer-online`, respectively.

* npm will now obey HTTP caching headers sent from registries and other remote HTTP hosts, and will use standard HTTP caching rules for its local cache.

* `prepublishOnly` now runs *before* packing the tarball.

* npm no longer supports node@<4.

fix(doctor): updated doctor command and its tests
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment