Skip to content
This repository has been archived by the owner. It is now read-only.

@zkat zkat released this Jul 6, 2017 · 572 commits to latest since this release

Hey y'all~

We've got some goodies for you here, including npm@5's first semver-minor release! This version includes a huge number of fixes, particularly for some of the critical bugs users were running into after upgrading npm. You should overall see a much more stable experience, and we're going to continue hacking on fixes for the time being. Semver-major releases, specially for tools like npm, are bound to cause some instability, and getting npm@5 stable is the CLI team's top priority for now!

Not that bugfixes are the only things that landed, either: between improvements that fell out of the bugfixes, and some really cool work by community members like @mikesherov, npm@5.1.0 is twice as fast as npm@5.0.0 in some benchmarks. We're not stopping there, either: you can expect a steady stream of speed improvements over the course of the year. It's not top priority, but we'll keep doing what we can to make sure npm saves its users as much time as possible.

Hang on to your seats. At 100 commits, this release is a bit of a doozy. 😎


Semver-minor releases, of course, mean that there's a new feature somewhere, right? Here's what's bumping that number for us this time:

  • a09c1a69d #16687 Allow customizing the shell used to execute run-scripts. (@mmkal)
  • 4f45ba222 a48958598 901bef0e1 #17508 Add a new requires field to package-lock.json with information about the logical dependency tree. This includes references to the specific version each package is intended to see, and can be used for many things, such as converting package-lock.json to other lockfile formats, various optimizations, and verifying correctness of a package tree. (@iarna)
  • 47e8fc8eb #17508 Make npm ls take package locks (and shrinkwraps) into account. This means npm ls can now be used to see which dependencies are missing, so long as a package lock has been previously generated with it in. (@iarna)
  • f0075e7ca #17508 Take package.json changes into account when running installs -- if you remove or add a dependency to package.json manually, npm will now pick that up and update your tree and package lock accordingly. (@iarna)
  • 83a5455aa #17205 Add npm udpate as an alias for npm update, for symmetry with install/isntall. (@gdassori)
  • 57225d394 #17120 npm will no longer warn about preferGlobal, and the option is now deprecated. (@zkat)
  • 82df7bb16 #17351 As some of you may already know npm build doesn't do what a lot of people expect: It's mainly an npm plumbing command, and is part of the more familiar npm rebuild command. That said, a lot of users assume that this is the way to run an npm run-script named build, which is an incredibly common script name to use. To clarify things for users, and encourage them to use npm run build instead, npm will now warn if npm build is run without any arguments. (@lennym)


  • 59f86ef90 43be9d222 e906cdd98 #16633 npm now parallelizes tarball extraction across multiple child process workers. This can significantly speed up installations, specially when installing from cache, and will improve with number of processors. (@zkat)
  • e0849878d #17441 Avoid building environment for empty lifecycle scripts. This change alone accounted for as much as a 15% speed boost for npm installations by outright skipping entire steps of the installer when not needed. (@mikesherov)
  • 265c2544c npm/hosted-git-info#24 hosted-git-info@2.5.0: Add caching to fromURL, which gets called many, many times by the installer. This improved installation performance by around 10% on realistic application repositories. (@mikesherov)
  • 901d26cb npm/read-package-json#20 read-package-json@2.0.9: Speed up installs by as much as 20% by reintroducing a previously-removed cache and making it actually be correct this time around. (@mikesherov)
  • 44e37045d Eliminate Bluebird.promisifyAll from our codebase. (@iarna)
  • 3b4681b53 #17508 Stop calling addBundle on locked deps, speeding up the package-lock.json-based fast path. (@iarna)


  • #17508 This is a big PR that fixes a variety of issues when installing from package locks. If you were previously having issues with missing dependencies or unwanted removals, this might have fixed it (@iarna):
    • It introduces a new package-lock.json field, called requires, which tracks which modules a given module requires.
    • It fixes #16839 which was caused by not having this information available, particularly when git dependencies were involved.
    • It fixes #16866, allowing the package.json to trump the package-lock.json.
    • npm ls now loads the shrinkwrap, which opens the door to showing a full tree of dependencies even when nothing is yet installed. (It doesn't do that yet though.)
  • 656544c31 d21ab57c3 #16637 Fix some cases where npm prune was leaving some dependencies unpruned if to-be-pruned dependencies depended on them. (@exogen)
  • 394436b09 #17552 Make refresh-package-json re-verify the package platform. This fixes an issue most notably experienced by Windows users using create-react-app where fsevents would not short-circuit and cause a crash during its otherwise-skipped native build phase. (@zkat)
  • 9e5a94354 #17590 Fix an issue where npm@5 would crash when trying to remove packages installed with npm@<5. (@iarna)
  • c3b586aaf #17141 Don't update the package.json when modifying packages that don't go there. This was previously causing package.json to get a "false": {} field added. (@iarna)
  • d04a23de2 4a5b360d5 d9e53db48 pacote@2.7.38 (@colinrotherham, @zkat, @mcibique):
    • zkat/pacote#102 Fix issue with tar extraction and special characters.
    • Enable loose semver parsing in some missing corner cases.
  • e2f815f87 #17104 Write an empty str and wait for flush to exit to reduce issues with npm exiting before all output is complete when it's a child process. (@zkat)
  • 835fcec60 #17060 Make git repos with prepare scripts always install with both dev and prod flags. (@intellix)
  • f1dc8a175 #16879 Fix support for always-auth and _auth. They are now both available in both unscoped and registry-scoped configurations. (@jozemlakar)
  • ddd8a1ca2 Serialize package specs to prevent [object Object] showing up in logs during extraction. (@zkat)
  • 99ef3b52c #17505 Stop trying to commit updated npm-shrinkwrap.json and package-lock.json if they're .gitignored. (@zkat)
  • 58be2ec59 Make sure uid and gid are getting correctly set even when they're 0. This should fix some Docker-related issues with bad permissions/broken ownership. (@rgrove)
  • 9d1e3b6fa #17506 Skip writing package.json and locks if on-disk version is identical to the new one. (@zkat)
  • 3fc6477a8 #17592 Fix an issue where npm install -g . on a package with no name field would cause the entire global node_modules directory to be replaced with a symlink to $CWD. lol. (@iarna)
  • 06ba0a14a #17591 Fix spurious removal reporting: if you tried to remove something that didn't actually exist, npm would tell you it removed 1 package even though there wasothing to do. (@iarna)
  • 20ff05f8 #17629 When removing a link, keep dependencies installed inside of it instead of removing them, if the link is outside the scope of the current project. This fixes an issue where removing globally-linked packages would remove all their dependencies in the source directory, as well as some ergonomic issues when using links in other situations. (@iarna)



Not all contributions need to be visible features, docs, or bugfixes! It's super helpful when community members go over our code and help clean it up, too!

Assets 2
You can’t perform that action at this time.