This repository has been archived by the owner. It is now read-only.

@iarna iarna released this Aug 12, 2016 · 2592 commits to latest since this release

Assets 2

v2.15.10 (2016-08-11):

Hi all, today's our first release coming out of the new monthly release cadence. See below for details. We're all recovered from conferences now and raring to go! For LTS we see some bug fixes, documentation improvements and a host of dependency updates.

The most dramatic bug fix is probably the inclusion of scoped modules in bundled dependencies. Prior to this release and v3.10.7, npm had ignored scoped modules found in bundleDependencies entirely.


Releasing npm has been, for the most part, a very prominent part of our weekly process process. As part of our efforts to find the most effective ways to allocate our team's resources, we decided last month that we would try and slow our releases down to a monthly cadence, and see if we found ourselves with as much extra time and attention as we expected to have. Process experiments are useful for finding more effective ways to do our work, and we're at least going to keep doing this for a whole quarter, and then measure how well it worked out. It's entirely likely that we'll switch back to a more frequent cadence, specially if we find that the value that weekly cadence was providing the community is not worth sacrificing for a bit of extra time. Does this affect you significantly? Let us know!


  • 405c404 #13023 Fixed a Windows issue with the cache where callbacks could be called more than once. (@zkat)
  • bf348dc #13023 Fixed a Windows corner case with correct-mkdir where if SUDO_UID or SUDO_GID were set then we would try to chown things even though that can't work on Windows. (@zkat)


  • 68f29f1 #12669 Ignore ENOENT errors on chownr while adding packages to cache. This change works around problems with race conditions and local packages. (@julianduque)




  • 66ef279 npm/fstream-npm#22 fstream@1.1.1: Always include NOTICE files now. Fix inclusion of scoped modules as bundled dependencies. (@kemitchell) (@forivall)
  • fe8385b glob@7.0.5: Update minimatch dep for security fix. See the minimatch update below for details. (@isaacs)
  • 51d49d2 isaacs/node-graceful-fs#71 graceful-fs@4.1.5: graceful-fs had a bug fix which fixes a problem (nodejs/node#7846) exposed by recent changes to Node.js. (@thefourtheye)
  • 5c8f39d minimatch@3.0.3: Handle extremely long and terrible patterns more gracefully. There were some magic numbers that assumed that every extglob pattern starts and ends with a specific number of characters in the regular expression. Since !(||) patterns are a little bit more complicated, this led to creating an invalid regular expression and throwing. (@isaacs)
  • d681e16 npm/npm-user-validate#9 npm-user-validate@0.1.5: Use correct, lower username length limit. (@aredridel)
  • f918994 request@2.74.0: Update request dependency tough-cookie to 2.3.0 to to address Versions 0.9.7 through 2.2.2 contain a vulnerable regular expression that, under certain conditions involving long strings of semicolons in the "Set-Cookie" header, causes the event loop to block for excessive amounts of time. (@stash-sfdc)
  • 5540cc4 isaacs/rimraf#111 rimraf@2.5.4: Clarify assertions: cb is required, options are not. (@isaacs)
  • 6357928 spdx-license-ids@1.2.2: New licenses synced from (@shinnn)