Skip to content
This repository has been archived by the owner on Aug 11, 2022. It is now read-only.

v5.5.0
Compare
Choose a tag to compare
@iarna iarna released this 04 Oct 16:52
· 425 commits to latest since this release
v5.5.0
This tag was signed with the committer’s verified signature.
iarna Rebecca Turner
GPG key ID: 778766724ED07A57
Learn about vigilant mode.
0ea9f70

Hey y'all, this is a big new feature release! We've got some security related goodies plus a some quality-of-life improvements for anyone who uses the public registry (so, virtually everyone).

The changes largely came together in one piece, so I'm just gonna leave the commit line here:

TWO FACTOR AUTHENTICATION

You can now enable two-factor authentication for your npm account. You can even do it from the CLI. In fact, you have to, for the time being:

npm profile enable-tfa

With the default two-factor authentication mode you'll be prompted to enter a one-time password when logging in, when publishing and when modifying access rights to your modules.

TOKEN MANAGEMENT

You can now create, list and delete authentication tokens from the comfort of the command line. Authentication tokens created this way can have NEW restrictions placed on them. For instance, you can create a read-only token to give to your CI. It will be able to download your private modules but it won't be able to publish or modify modules. You can also create tokens that can only be used from certain network addresses. This way you can lock down access to your corporate VPN or other trusted machines.

Deleting tokens isn't new, you could do it via the website but now you can do it via the CLI as well.

CHANGE YOUR PASSWORD, SET YOUR EMAIL

You can finally change your password from the CLI with npm profile set password! You can also update your email address with npm profile set email <address>. If you change your email address we'll send you a new verification email so you verify that its yours.

AND EVERYTHING ELSE ON YOUR PROFILE

You can also update all of the other attributes of your profile that previously you could only update via the website: fullname, homepage, freenode, twitter and github.

AVAILABLE STAND ALONE

All of these features were implemented in a stand alone library, so if you have use for them in your own project you can find them in npm-profile on the registry. There's also a little mini-cli written just for it at npm-profile-cli. You might also be interested in the API documentation for these new features: user profile editing and authentication.

BUG FIXES

  • 5ee55dc71 install.sh: Drop support for upgrading from npm@1 as npm@5 can't run on any Node.js version that ships npm@1. This fixes an issue some folks were seeing when trying to upgrade using curl | http://npmjs.com/install.sh. (@iarna)
  • 5cad1699a npm-lifecycle@1.0.3 Fix a bug where when more than one lifecycle script got queued to run, npm would crash. (@zkat)
  • cd256cbb2 npm-packlist@1.1.9 Fix a bug where test directories would always be excluded from published modules. (@isaacs)
  • 2a11f0215 Fix formatting of unsupported version warning (@iarna)

DEPENDENCY UPDATES

  • 6d2a285a5 npm-registry-client@8.5.0
  • 69e64e27b request@2.83.0
  • 34e0f4209 abbrev@1.1.1
  • 10d31739d aproba@1.2.0
  • 2b02e86c0 meant@1.0.1
  • b81fff808 rimraf@2.6.2: Fixes a long standing bug in rimraf's attempts to work around Windows limitations where it owns a file and can change its perms but can't remove it without first changing its perms. This may be an improvement for Windows users of npm under some circumstances. (@isaacs)
Assets 2