Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

v3.3.2

@othiym23 othiym23 released this

PLEASE HOLD FOR THE NEXT AVAILABLE MAINTAINER

This is a tiny little maintenance release, both to update dependencies and to keep npm@3 up to date with changes made to npm@2. @othiym23 is putting out this release (again) as his esteemed colleague @iarna finishes relocating herself, her family, and her sizable anime collection all the way across North America. It contains all the goodies in npm@2.14.3 and one other dependency update.

BETA WARNINGS FOR FUN AND PROFIT

THIS IS BETA SOFTWARE. npm@3 will remain in beta until we're confident that it's stable and have assessed the effect of the breaking changes on the community. During that time we will still be doing npm@2 releases, with npm@2 tagged as latest and next. We'll also be publishing new releases of npm@3 as npm@v3.x-next and npm@v3.x-latest alongside those versions until we're ready to switch everyone over to npm@3. We need your help to find and fix its remaining bugs. It's a significant rewrite, so we are sure there still significant bugs remaining. So do us a solid and deploy it in non-critical CI environments and for day-to-day use, but maybe don't use it for production maintenance or frontline continuous deployment just yet.

That said, it's getting there! It will be leaving beta very soon!

ONE OTHER DEPENDENCY UPDATE

  • bb5de34 is-my-json-valid@2.12.2: Upgrade to a new, modernized version of json-pointer. (@mafintosh)

Downloads

v2.14.3

@zkat zkat released this · 454 commits to master since this release

TEAMS AND ORGS STILL BETA. CLI CODE STILL SOLID.

Our closed beta for Teens and Orcs is happening! The web team is hard at work making sure everything looks pretty and usable and such. Once we fix things stemming from that beta, you can expect the feature to be available publicly. Some time after that, it'll even be available for free for FOSS orgs. It'll Be Done When It's Done™.

OH GOOD, I CAN ACTUALLY UPSTREAM NOW

Looks like last week's release foiled our own test suite when trying to upstream it to Node! Just a friendly reminder that no, .npmrc is no longer included then you pack/release a package! @othiym23 and @isaacs managed to suss the really strange test failures resulting from that, and we've patched it in this release.

  • 01a3428 #9476 test: Recreate missing .npmrc files when missing so downstream packagers can run tests on packed npm. (@othiym23)

TALKING ABOUT THE CHANGELOG IN THE CHANGELOG IS LIKE, POMO OR SOMETHING

devDependencies UPDATED

No actual dep updates this week, but we're bumping a couple of devDeps:

  • 8454835 tap@1.4.0: Add t.contains() as alias to t.match() (@isaacs)
  • 13d2216 deep-equal@1.0.1: Make null == undefined in non-strict mode (@isaacs)

Downloads

v3.3.1

@othiym23 othiym23 released this · 7 commits to master since this release

v3.3.1 (2015-08-27):

Hi all, this npm@3 update brings you another round of bug fixes. The headliner here is that npm update works again. We're running down the clock on blocker 3.x issues! Shortly after that hits zero we'll be promoting 3.x to latest!!

And of course, we have changes that were brought forward from 2.x. Check out the release notes for 2.14.1 and 2.14.2.

BETA WARNINGS FOR FUN AND PROFIT

THIS IS BETA SOFTWARE. npm@3 will remain in beta until we're confident that it's stable and have assessed the effect of the breaking changes on the community. During that time we will still be doing npm@2 releases, with npm@2 tagged as latest and next. We'll also be publishing new releases of npm@3 as npm@v3.x-next and npm@v3.x-latest alongside those versions until we're ready to switch everyone over to npm@3. We need your help to find and fix its remaining bugs. It's a significant rewrite, so we are sure there still significant bugs remaining. So do us a solid and deploy it in non-critical CI environments and for day-to-day use, but maybe don't use it for production maintenance or frontline continuous deployment just yet.

NPM UPDATE, NOW AGAIN YOUR FRIEND

  • f130a00 #9095 npm update once again works! Previously, after selecting packages to update, it would then pick the wrong location to run the install from. (@iarna)

MORE VERBOSING FOR YOUR VERBOSE LIFECYCLES

  • d088b7d #9227 Add some additional logging at the verbose and silly levels when running lifecycle scripts. Hopefully this will make debugging issues with them a bit easier! (@saper)

AND SOME OTHER BUG FIXES…

  • f4a5784 #9308 Make fetching metadata for local modules faster! This ALSO means that doing things like running npm repo won't build your module and maybe run prepublish. (@iarna)
  • 4468c92 #9205 Fix a bug where local modules would sometimes not resolve relative links using the correct base path. (@iarna)
  • d395a6b #8995 Certain combinations of packages could result in different install orders for their initial installation than for reinstalls run on the same folder. (@iarna)
  • d119ea6 #9113 Make extraneous packages always up in npm ls. Previously, if an extraneous package had a dependency that depended back on the original package this would result in the package not showing up in ls. (@iarna)
  • 02420dc #9113 Stop warning about missing top level package.json files. Errors in said files will still be reported. (@iarna)

SOME DEP UPDATES

  • 1ed1364 rimraf@2.4.3 (@isaacs) Added EPERM to delay/retry loop.
  • e7b8315 read@1.0.7 Smaller distribution package, better metadata. (@isaacs)

SOME DEPS OF DEPS UPDATES

Downloads

v2.14.2

@zkat zkat released this · 454 commits to master since this release

GETTING THAT PESKY preferGlobal WARNING RIGHT

So apparently the preferGlobal option hasn't quite been warning correctly for some time. But now it should be all better! tl;dr: if you try and install a dependency with preferGlobal: true, and it's not already in your package.json, you'll get a warning that the author would really rather you install it with --global. This should prevent Windows PowerShell from thinking npm has failed just because of a benign warning.

  • bbb25f3 #8841 #9409 The preferGlobal warning shouldn't happen if the dependency being installed is listed in devDependencies. (@saper)
  • 222fcec #9409 preferGlobal now prints a warning when there are no dependencies for the current package. (@zkat)
  • 5cfed6d #9409 Verify that preferGlobal is warning as expected (when a preferGlobal dependency is installed, but isn't listed in either dependencies or devDependencies). (@zkat)

BUMP +1

  • eeafce2 validate-npm-package-license@3.0.1: Include additional metadata in parsed license object, useful for license checkers. (@kemitchell) 1502a28 normalise-package-data@2.3.2: Updated to use validate-npm-package-license@3.0.1. (@othiym23)
  • cbde823 init-package-json@1.9.1: Add a silent option to suppress output on writing the generated package.json. Also, updated to use validate-npm-package-license@3.0.1. (@zkat)
  • 08fda46 tar@2.2.0: Minor improvements. (@othiym23)
  • dc2f20b rimraf@2.4.3: EPERM now triggers a delay / retry loop (since Windows throws this when things still hold a handle). (@isaacs)
  • e8acb27 read@1.0.7: Fix licensing ambiguity. (@isaacs)

OTHER STUFF THAT'S RELEVANT

  • 73a1ee0 #9386 Include additional unignorable files in documentation. (@mjhasbach)
  • 0313e40 #9396 Improve the EISDIR error message returned by npm's error-handling code to give users a better hint of what's most likely going on. Usually, error reports with this error code are about people trying to install things without a package.json. (@KenanY)
  • 2677457 #9360 Make it easier to run only some of npm tests with lifecycle scripts via npm tap test/tap/testname.js. (@iarna)

Downloads

v2.14.1

@othiym23 othiym23 released this · 454 commits to master since this release

SECURITY FIX

There are patches for two information leaks of moderate severity in npm@2.14.1:

  1. In some cases, npm was leaking sensitive credential information into the child environment when running package and lifecycle scripts. This could lead to packages being published with files (most notably config.gypi, a file created by node-gyp that is a cache of environmental information regenerated on every run) containing the bearer tokens used to authenticate users to the registry. Users with affected packages have been notified (and the affected tokens invalidated), and now npm has been modified to not upload files that could contain this information, as well as scrubbing the sensitive information out of the environment passed to child scripts.
  2. Per-package .npmrc files are used by some maintainers as a way to scope those packages to a specific registry and its credentials. This is a reasonable use case, but by default .npmrc was packed into packages, leaking those credentials. npm will no longer include .npmrc when packing tarballs.

If you maintain packages and believe you may be affected by either of the above scenarios (especially if you've received a security notification from npm recently), please upgrade to npm@2.14.1 as soon as possible. If you believe you may have inadvertently leaked your credentials, upgrade to npm@2.14.1 on the affected machine, and run npm logout and then npm login. Your access tokens will be invalidated, which will eliminate any risk posed by tokens inadvertently included in published packages. We apologize for the inconvenience this causes, as well as the oversight that led to the existence of this issue in the first place.

Huge thanks to @ChALkeR for bringing these issues to our attention, and for helping us identify affected packages and maintainers. Thanks also to the Node.js security working group for their coördination with the team in our response to this issue. We appreciate everybody's patience and understanding tremendously.

  • b9474a8 fstream-npm@1.0.5: Stop publishing build cruft (config.gypi) and per-project .npmrc files to keep local configuration out of published packages. (@othiym23)
  • 13c286d #9348 Filter "private" (underscore-prefixed, even when scoped to a registry) configuration values out of child environments. (@othiym23)

BETTER WINDOWS INTEGRATION, ONE STEP AT A TIME

  • e40e71f #6412 Improve the search strategy used by the npm shims for Windows to prioritize your own local npm installs. npm has really needed this tweak for a long time, so hammer on it and let us know if you run into issues, but with luck it will Just Work. (@joaocgreis)
  • 204ebbb #8751 #7333 Keep autorun scripts from interfering with npm package and lifecycle script execution on Windows by adding /d and /s when invoking cmd.exe. (@saper)

IT SEEMED LIKE AN IDEA AT THE TIME

  • 286f3d9 #9201 For a while npm was building HTML partials for use on docs.npmjs.com, but we weren't actually using them. Stop building them, which makes running the full test suite and installation process around a third faster. (@isaacs)

A SINGLE LONELY DEPENDENCY UPGRADE

  • b343b95 request@2.61.0: Bug fixes and keep-alive tweaks. (@simov)

Downloads

v3.3.0

@iarna iarna released this · 46 commits to master since this release

v3.3.0 (2015-08-13):

This is a pretty EXCITING week. But I may be a little excitable– or possibly sleep deprived, it's sometimes hard to tell them apart. =D So Kat really went the extra mile this week and got the client side support for teams and orgs out in this week's 2.x release. You can't use that just yet, 'cause we have to turn on some server side stuff too, but this way it'll be there for you all the moment we do! Check out the details over in the 2.14.0 release notes!

But we over here in 3.x ALSO got a new feature this week, check out the new --only and --also flags for better control over when dev and production dependencies are used by various npm commands.

That, and some important bug fixes round out this week. Enjoy everyone!

NEVER SHALL NOT BETA THE BETA

THIS IS BETA SOFTWARE. EXCITING NEW BETA WARNING!!! Ok, I fibbed, EXACTLY THE SAME BETA WARNINGS: npm@3 will remain in beta until we're confident that it's stable and have assessed the effect of the breaking changes on the community. During that time we will still be doing npm@2 releases, with npm@2 tagged as latest and next. We'll also be publishing new releases of npm@3 as npm@v3.x-next and npm@v3.x-latest alongside those versions until we're ready to switch everyone over to npm@3. We need your help to find and fix its remaining bugs. It's a significant rewrite, so we are sure there still significant bugs remaining. So do us a solid and deploy it in non-critical CI environments and for day-to-day use, but maybe don't use it for production maintenance or frontline continuous deployment just yet.

ONLY ALSO DEV

Hey we've got a SUPER cool new feature for you all, thanks to the fantastic work of @davglass and @bengl we have --only=prod, --only=dev, --also=prod and --also=dev options. These apply in various ways to: npm install, npm ls, npm outdated and npm update.

So for instance:

npm install --only=dev

Only installs dev dependencies. By contrast:

npm install --only=prod

Will only install prod dependencies and is very similar to --production but differs in that it doesn't set the environment variables that --production does.

The related new flag, --also is most useful with things like:

npm shrinkwrap --also=dev

As shrinkwraps don't include dev deps by default. This replaces passing in --dev in that scenario.

And that leads into the fact that this deprecates --dev as its semantics across commands were inconsistent and confusing.

DON'T TOUCH! THAT'S NOT YOUR BIN

  • b31812e #8996 When removing a module that has bin files, if one that we're going to remove is a symlink to a DIFFERENT module, leave it alone. This only happens when you have two modules that try to provide the same bin. (@iarna)

THERE'S AN END IN SIGHT

  • d2178a9 #9223 Close a bunch of infinite loops that could show up with symlink cycles in your dependencies. (@iarna)

OOPS DIDN'T MEAN TO FIX THAT

Well, not just yet. This was scheduled for next week, but it snuck into 2.x this week.

  • 139dd92 #8716 npm init will now only pick up the modules you install, not everything else that got flattened with them. (@iarna)

Downloads

v2.14.0

@zkat zkat released this · 454 commits to master since this release

IT'S HERE! KINDA!

This release adds support for teens and orcs (err, teams and organizations) to the npm CLI! Note that the web site and registry-side features of this are still not ready for public consumption.

A beta should be starting in the next couple of weeks, and the features themselves will become public once all that's done. Keep an eye out for more news!

All of these changes were done under #9011:

  • 6424170 Added new npm team command and subcommands. (@zkat)
  • 52220d1 Added documentation for new npm team command. (@zkat)
  • 4e66830 Updated npm access to support teams and organizations. (@zkat)
  • ea3eb87 Gussied up docs for npm access with new commands. (@zkat)
  • 6e0b431 Fix up npm whoami to make the underlying API usable elsewhere. (@zkat)
  • f29c931 npm-registry-client@7.0.1: Upgrade npm-registry-client API to support team and access calls against the registry. (@zkat)

A FEW EXTRA VERSION BUMPS

ALSO A DOC FIX

  • 846fcc7 #9200 Remove single quotes around semver range, thus making it valid semver. (@KenanY)

Downloads

v3.2.2

@iarna iarna released this · 79 commits to master since this release

v3.2.2 (2015-08-08):

Lot's of lovely bug fixes for npm@3. I'm also suuuuper excited that I think we have a handle on stack explosions that effect a small portion of our users. We also have some tantalizing clues as to where some low hanging fruit may be for performance issues.

And of course, in addition to the npm@3 specific bug fixes, there are some great one's coming in from npm@2! @othiym23 put together that release this week– check out its release notes for the deets.

AS ALWAYS STILL BETA

THIS IS BETA SOFTWARE. Just like the airline safety announcements, we're not taking this plane off till we finish telling you: npm@3 will remain in beta until we're confident that it's stable and have assessed the effect of the breaking changes on the community. During that time we will still be doing npm@2 releases, with npm@2 tagged as latest and next. We'll also be publishing new releases of npm@3 as npm@v3.x-next and npm@v3.x-latest alongside those versions until we're ready to switch everyone over to npm@3. We need your help to find and fix its remaining bugs. It's a significant rewrite, so we are sure there still significant bugs remaining. So do us a solid and deploy it in non-critical CI environments and for day-to-day use, but maybe don't use it for production maintenance or frontline continuous deployment just yet.

BUG FIXES

  • a8c8a13 #9050 Resolve peer deps relative to the parent of the requirer (@iarna)
  • 05f0226 #9077 Fix crash when saving git+ssh urls (@iarna)
  • e4a3808 #8951 Extend our patch to allow * to match something when a package only has prerelease versions to everything and not just the cache. (@iarna)
  • d135abf #8871 Don't warn about a missing package.json or missing fields in the global install directory. (@iarna)

DEP VERSION BUMPS

Downloads

v2.13.5

@othiym23 othiym23 released this · 454 commits to master since this release

v2.13.5 (2015-08-07):

This is another quiet week for the npm@2 release. @zkat has been working hard on polishing the CLI bits of the registry's new feature to support direct management of teams and organizations, and @iarna continues to work through the list of issues blocking the general release of npm@3, which is looking more and more solid all the time.

@othiym23 and @zkat have also been at this week's Node.js / io.js collaborator summit, both as facilitators and participants. This is a valuable opportunity to get some face time with other contributors and to work through a bunch of important discussions, but it does leave us feeling kind of sleepy. Running meetings is hard!

What does that leave for this release? A few of the more tricky bug fixes that have been sitting around for a little while now, and a couple dependency upgrades. Nothing too fancy, but most of these were contributed by developers like you, which we think is swell. Thanks!

BUG FIXES

  • d7271b8 #4530 The bash completion script for npm no longer alters global completion behavior around word breaks. (@whitty)
  • c9ce294 #7198 When setting up dependencies to be shared via npm link <package>, only run the lifecycle scripts during the original link, not when running npm link <package> or npm install --link against them. (@murgatroid99)
  • 422da66 #9108 Clear up minor confusion around wording in bundledDependencies section of package.json docs. (@derekpeterson)
  • 6b42d99 #9146 Include scripts that run for preversion, version, and postversion in the section for lifecycle scripts rather than the generic npm run-script output. (@othiym23)

NOPE, NOT DONE WITH DEPENDENCY UPDATES

  • 91a48bb chmodr@1.0.1: Ignore symbolic links when recursively changing mode, just like the Unix command. (@isaacs)
  • 4bbc86e nock@2.10.0 (@pgte)

Downloads

v3.2.1

@iarna iarna released this · 107 commits to master since this release

v3.2.1 (2015-07-31):

AN EXTRA QUIET RELEASE

A bunch of stuff got deferred for various reasons, which just means more branches to land next week!

Don't forget to check out Kat's 2.x release for other quiet goodies.

AS ALWAYS STILL BETA

THIS IS BETA SOFTWARE. Yes, we're still reminding you of this. No, you can't be excused. npm@3 will remain in beta until we're confident that it's stable and have assessed the effect of the breaking changes on the community. During that time we will still be doing npm@2 releases, with npm@2 tagged as latest and next. We'll also be publishing new releases of npm@3 as npm@v3.x-next and npm@v3.x-latest alongside those versions until we're ready to switch everyone over to npm@3. We need your help to find and fix its remaining bugs. It's a significant rewrite, so we are sure there still significant bugs remaining. So do us a solid and deploy it in non-critical CI environments and for day-to-day use, but maybe don't use it for production maintenance or frontline continuous deployment just yet.

MAKING OUR TESTS TEST THE THING THEY TEST

  • 6e53c3d #8985 Many thanks to @bengl for noticing that one of our tests wasn't testing what it claimed it was testing! (@bengl)

MY PACKAGE.JSON WAS ALREADY IN THE RIGHT ORDER

  • eb2c7aa #9068 Stop sorting keys in the package.json that we haven't edited. Many thanks to @Qix- for bringing this up and providing a first pass at a patch for this. (@iarna)

DEV DEP UPDATE

Downloads

Something went wrong with that request. Please try again.