This repository has been archived by the owner on Aug 11, 2022. It is now read-only.
v2.7.5
SECURITY FIXES
300834e
tar@2.0.0
: Normalize symbolic links that point to targets outside the
extraction root. This prevents packages containing symbolic links from
overwriting targets outside the expected paths for a package. Thanks to Tim
Cuthbertson and the team at Lift
Security for working with the npm team to identify
this issue. (@othiym23)0dc6875
semver@4.3.2
: Package versions can be no more than 256 characters long.
This prevents a situation in which parsing the version number can use
exponentially more time and memory to parse, leading to a potential denial of
service. Thanks to Adam Baldwin at Lift Security for bringing this to our
attention. (@isaacs)
BUG FIXES
5811468
#7713 Add a test fornpm link
and
npm link <package>
. (@watilde)3cf3b0c
#7713 Only use absolute symbolic
links whennpm link
ing. (@hokaccha)f35aa93
#7443 Keep relative URLs when
hitting search endpoint. (@othiym23)eab6184
#7766 One last tweak to ensure that
GitHub shortcuts work with private repositories.
(@iarna)5d7f704
#7656 Don't try to load a deleted
CA file, allowing thecafile
config to be changed.
(@KenanY)a840a13
#7746 Only fix up URL paths when
there are paths to fix up. (@othiym23)
DEPENDENCY UPDATES
94df809
request@2.54.0
: Fixes for Node.js 0.12 and io.js.
(@simov)98a13ea
opener@1.4.1
: Deal withstart
on Windows more conventionally.
(@domenic)c2417c7
require-inject@1.2.0
: Add installGlobally to bypass cleanups.
(@iarna)