v2.7.5

SECURITY FIXES

• 300834e
tar@2.0.0: Normalize symbolic links that point to targets outside the
  extraction root. This prevents packages containing symbolic links from
  overwriting targets outside the expected paths for a package. Thanks to Tim
  Cuthbertson and the team at Lift
  Security for working with the npm team to identify
  this issue. (@othiym23)
• 0dc6875
semver@4.3.2: Package versions can be no more than 256 characters long.
  This prevents a situation in which parsing the version number can use
  exponentially more time and memory to parse, leading to a potential denial of
  service. Thanks to Adam Baldwin at Lift Security for bringing this to our
  attention. (@isaacs)

BUG FIXES

• 5811468
  #7713 Add a test for npm link and
  npm link <package>. (@watilde)
• 3cf3b0c
  #7713 Only use absolute symbolic
  links when npm linking. (@hokaccha)
• f35aa93
  #7443 Keep relative URLs when
  hitting search endpoint. (@othiym23)
• eab6184
  #7766 One last tweak to ensure that
  GitHub shortcuts work with private repositories.
  (@iarna)
• 5d7f704
  #7656 Don't try to load a deleted
  CA file, allowing the cafile config to be changed.
  (@KenanY)
• a840a13
  #7746 Only fix up URL paths when
  there are paths to fix up. (@othiym23)

DEPENDENCY UPDATES

• 94df809
request@2.54.0: Fixes for Node.js 0.12 and io.js.
  (@simov)
• 98a13ea
opener@1.4.1: Deal with start on Windows more conventionally.
  (@domenic)
• c2417c7
require-inject@1.2.0: Add installGlobally to bypass cleanups.
  (@iarna)

DOCUMENTATION FIXES

• f87c728
  #7696 Months and minutes were
  swapped in doc-build.sh (@MeddahJ)
• 4e216b2
  #7752 Update string examples to be
  properly quoted. (@snuggs)
• 402f52a
  #7635 Clarify Windows installation
  instructions. (@msikma)
• c910399
  small typo fix to CHANGELOG.md (@e-jigsaw)