v3.5.1

THE npm CLI !== THE npm REGISTRY !== npm, INC.

npm-the-CLI is licensed under the terms of the Artistic License 2.0, which is a liberal open-source license that allows you to take this code and do pretty much whatever you like with it (that is, of course, not legal language, and if you're doing anything with npm that leaves you in doubt about your legal rights, please seek the review of qualified counsel, which is to say, not members of the CLI team, none of whom have passed the bar, to my knowledge). At the same time the primary registry the CLI uses when looking up and downloading packages is a commercial service run by npm, Inc., and it has its own Terms of Use.

Aside from clarifying the terms of use (and trying to make sure they're more widely known), the only recent changes to npm's licenses have been making the split between the CLI and registry clearer. You are still free to do whatever you like with the CLI's source, and you are free to view, download, and publish packages to and from registry.npmjs.org, but now the existing terms under which you can do so are more clearly documented. Aside from the two commits below, see also the release notes for npm@3.4.1, which is where the split between the CLI's code and the terms of use for the registry was first made more clear.

• 35a5dd5 #10532 Clarify that registry.npmjs.org is the default, but that you're free to use the npm CLI with whatever registry you wish. (@kemitchell)
• fa6b013 #10532 Having semi-duplicate release information in README.md was confusing and potentially inaccurate, so remove it. (@kemitchell)

EASE UP ON WINDOWS BASH USERS

It turns out that a fair number of us use bash on Windows (through MINGW or bundled with Git, plz – Cygwin is still a bridge too far, for both npm and Node.js). @jakub-g did us all a favor and relaxed the check for npm completion to support MINGW bash. Thanks, Jakub!

• 09498e4 #10156 completion: enable on Windows in git bash (@jakub-g)

THE ONGOING SAGA OF BUNDLED DEPENDENCIES

npm@3.5.0 fixed up a serious issue with how npm@3.4.1 (and potentially npm@3.4.0 and npm@3.3.12) handled the case in which dependencies bundled into a package tarball are handled improperly when one or more of their own dependencies are older than what's latest on the registry. Unfortunately, in fixing that (quite severe) regression (see npm@3.5.0's release notes' for details), we introduced a new (small, and fortunately cosmetic) issue where npm superfluously warns you about bundled dependencies being stale. We have now fixed that, and hope that we haven't introduced any other regressions in the process. :D

• 20824a7 #10501 Only warn about replacing bundled dependencies when actually doing so. (@iarna)

MAKE NODE-GYP A LITTLE BLUER

• 1d14d88 node-gyp@3.2.0: Support AIX, use which to find Python, updated to a newer version of gyp, and more! (@bnoordhuis)

A BOUNTEOUS THANKSGIVING CORNUCOPIA OF DOC TWEAKS

These are great! Keep them coming! Sorry for letting them pile up so deep, everybody. Also, a belated Thanksgiving to our Canadian friends, and a happy Thanksgiving to all our friends in the USA.

• 4659f1c #10244 In npm@3, npm dedupe doesn't take any arguments, so update documentation to reflect that. (@bengotow)
• 625a7ee #10250 Correct order of org:team in npm team documentation. (@louislarry)
• bea7f87 #10371 Remove broken / duplicate link to tag. (@WickyNilliams)
• 0a25e29 #10419 Remove references to nonexistent npm-rm(1) documentation. (@KenanY)
• 19b94e1 #10474 Clarify that install finds dependencies in package.json. (@sleekweasel)
• b25efc8 #9948 Encourage users to file an issue, rather than emailing authors. (@trodrigues)
• 24f4ced #10497 Clarify what a package is slightly. (@aredridel)
• e8168d4 #10539 Remove an extra, spuriously capitalized letter. (@alexlukin-softgrad)