Look at that! A feature bump!
npm@6 was super-exciting not just because it used a bigger number than ever before, but also because it included a super shiny new command:
npm audit. Well, we've kept working on it since then and have some really nice improvements for it. You can expect more of them, and the occasional fix, in the next few releases as more users start playing with it and we get more feedback about what y'all would like to see from something like this.
I, for one, have started running it (and the new subcommand...) in all my projects, and it's one of those things that I don't know how I ever functioned -without- it! This will make a world of difference to so many people as far as making the npm ecosystem a higher-quality, safer commons for all of us.
This is also a good time to remind y'all that we have a new RFCs repository, along with a new process for them. This repo is open to anyone's RFCs, and has already received some great ideas about where we can take the CLI (and, to a certain extent, the registry). It's a great place to get feedback, and completely replaces feature requests in the main repo, so we won't be accepting feature requests there at all anymore. Check it out if you have something you'd like to suggest, or if you want to keep track of what the future might look like!
npm audit fix
This is the biggie with this release!
npm audit fix does exactly what it says on the tin. It takes all the actionable reports from your
npm audit and runs the installs automatically for you, so you don't have to try to do all that mechanical work yourself!
Note that by default,
npm audit fix will stick to semver-compatible changes, so you should be able to safely run it on most projects and carry on with your day without having to track down what breaking changes were included. If you want your (toplevel) dependencies to accept semver-major bumps as well, you can use
npm audit fix --force and it'll toss those in, as well. Since it's running the npm installer under the hood, it also supports
--only=dev flags, as well as things like
--package-lock-only, if you want more control over what it does.
Give it a whirl and tell us what you think! See
npm help audit for full docs!
1854b1c7f#20568 Add support for
npm audit --jsonto print the report in JSON format. (@finnp)
85b86169d#20570 Include number of audited packages in
npm installsummary output. (@zkat)
email@example.com: Overhaul audit install and detail output format. The new format is terser and fits more closely into the visual style of the CLI, while still providing you with the important bits of information you need. They also include a bit more detail on the footer about what actions you can take! (@zkat)
NEW FEATURE: GIT DEPS AND
npm init <pkg>!
Another exciting change that came with
npm@6 was the new
npm init command that allows for community-authored generators. That means you can, for example, do
npm init react-app and it'll one-off download, install, and run
create-react-app for you, without requiring or keeping around any global installs. That is, it basically just calls out to
The first version of this command only really supported registry dependencies, but now, @jdalton went ahead and extended this feature so you can use hosted git dependencies, and their shorthands.
So go ahead and do
npm init facebook/create-react-app and it'll grab the package from the github repo now! Or you can use it with a private github repository to maintain your organizational scaffolding tools or whatnot.
FIX WRITE AFTER END ERROR
First introduced in 5.8.0, this finally puts to bed errors where you would occasionally see
Error: write after end at MiniPass.write.
firstname.lastname@example.org: Fix write-after-end errors. (@zkat)
DETECT CHANGES IN GIT SPECIFIERS
0e1726c03We can now determine if the commitid of a git dependency in the lockfile is derived from the specifier in the package.json and if it isn't we now trigger an update for it. (@iarna)
631d30a34When requesting the update of a direct dependency that was also a transitive dependency to a version incompatible with the transitive requirement and you had a lock-file but did not have a
node_modulesfolder then npm would fail to provide a new copy of the transitive dependency, resulting in an invalid lock-file that could not self heal. (@iarna)
be5dd0f49#20715 Cleanup output of
npm cisummary report. (@legodude17)
98ffe4adbNode.js now has a test that scans for things that look like conflict markers in source code. This was triggering false positives on a fixture in a test of npm's ability to heal lockfiles with conflicts in them. (@iarna)
a41c0393c#20538 Make the new
npm viewwork when the license field is an object instead of a string. (@zkat)
eb7522073#20582 Add support for environments (like Docker) where the expected binary for opening external URLs is not available. (@bcoe)
212266529#20536 Fix a spurious colon in the new update notifier message and add support for the npm canary. (@zkat)
5ee1384d0#20597 Infer a version range when a
package.jsonhas a dist-tag instead of a version range in one of its dependency specs. Previously, this would cause dependencies to be flagged as invalid. (@zkat)
4fa68ae41#20585 Make sure scoped bundled deps are shown in the new publish preview, too. (@zkat)
email@example.com: Stop dropping
sizefrom metadata on
npm cache verify. (@jfmartinez)
91ef93691#20513 Fix nested command aliases. (@mmermerkaya)
firstname.lastname@example.org: Make sure different versions of the
Pathenv var on Windows all get
node_modules/.binprepended when running lifecycle scripts. (@laggingreflex)
a91d87072#20550 Update required node versions in README. (@legodude17)
bf3cfa7b8Pull in changelogs from the last
b2f14b14c#20629 Make tone in
publishConfigdocs more neutral. (@jeremyckahn)
npm audit fix, replace some transitive dependencies with security issues with versions that don't have any. (@iarna)
email@example.com: Dropping to 4.4.1 from 4.4.2 due to isaacs/node-tar#183 (@zkat)