This repository has been archived by the owner. It is now read-only.

@iarna iarna released this May 10, 2018 · 92 commits to latest since this release

Assets 2

CTRL-C OUT DURING PACKAGE EXTRACTION AS MUCH AS YOU WANT!

SHRONKWRAPS AND LACKFILES

If a published modules had legacy npm-shrinkwrap.json we were saving ordinary registry dependencies (name@version) to your package-lock.json as https:// URLs instead of versions.

  • 89102c0d9 When saving the lock-file compute how the dependency is being required instead of using _resolved in the package.json. This fixes the bug that was converting registry dependencies into https:// dependencies. (@iarna)
  • 676f1239a When encountering a https:// URL in our lockfiles that point at our default registry, extract the version and use them as registry dependencies. This lets us heal package-lock.json files produced by 6.0.0 (@iarna)

AUDIT AUDIT EVERYWHERE

You can't use it quite yet, but we do have a few last moment patches to npm audit to make it even better when it is turned on!

  • b2e4f48f5 Make sure we hide stream errors on background audit submissions. Previously some classes of error could end up being displayed (harmlessly) during installs. (@iarna)
  • 1fe0c7fea Include session and scope in requests (as we do in other requests to the registry). (@iarna)
  • d04656461 Exit with non-zero status when vulnerabilities are found. So you can have npm audit as a test or prepublish step! (@iarna)
  • fcdbcbacc Verify lockfile integrity before running. You'd get an error either way, but this way it's faster and can give you more concrete instructions on how to fix it. (@iarna)
  • 2ac8edd42 Refuse to run in global mode. Audits require a lockfile and globals don't have one. Yet. (@iarna)
  • 3dcc240db Timeout audit requests eventually. (@iarna)

Looking forward

We're still a way from having node@11, so now's a good time to ensure we don't warn about being used with it.

DOCUMENTATION IMPROVEMENTS

DEPENDENCY UPDATES