npm Changelog

What's new in npm 5.7.0

Feb 22, 2018

PACKAGE-LOCK GIT MERGE CONFLICT RESOLUTION:
Allow npm install to fix package-lock.json and npm-shrinkwrap.json files that have merge conflicts in them without your having to edit them. It works in conjunction with npm-merge-driver to entirely eliminate package-lock merge conflicts.
e27674c22 Automatically resolve merge conflicts in lock-files. (@zkat)
NPM CI:
The new npm ci command installs from your lock-file ONLY. If your package.json and your lock-file are out of sync then it will report an error.
It works by throwing away your node_modules and recreating it from scratch.
Beyond guaranteeing you that you'll only get what is in your lock-file it's also much faster (2x-10x!) than npm install when you don't start with a node_modules.
As you may take from the name, we expect it to be a big boon to continuous integration environments. We also expect that folks who do production deploys from git tags will see major gains.
5e4de9c99 Add new npm ci installer. (@zkat)
OTHER NEW FEATURES:
4d418c21b #19817 Include contributor count in installation summary. (@kemitchell)
17079c2a8 Require password to change email through npm profile. (@iarna)
e7c5d226a 4f5327c05 #19780 Add support for web-based logins. This is not yet available on the registry, however. (@isaacs)
BIG FIXES TO PRUNING:
827951590 Handle running npm install package-name with a node_modules containing packages without sufficient metadata to verify their origin. The only way to get install packages like this is to use a non-npm package manager. Previously npm removed any packages that it couldn't verify. Now it will leave them untouched as long as you're not asking for a full install. On a full install they will be reinstalled (but the same versions will be maintained).
This will fix problems for folks who are using a third party package manager to install packages that have postinstall scripts that run npm install. (@iarna)
3b305ee71 Only auto-prune on installs that will create a lock-file. This restores npm@4 compatible behavior when the lock-file is disabled. When using a lock-file npm will continue to remove anything in your node_modules that's not in your lock-file. (@iarna)
cec5be542 Fix bug where npm prune --production would remove dev deps from the lock file. It will now only remove them from node_modules not from your lock file. (@iarna)
857dab03f Fix bug where git dependencies would be removed or reinstalled when installing other dependencies. (@iarna)
BUG FIXES TO TOKENS AND PROFILES:
a66e0cd03 For CIDR filtered tokens, allow comma separated CIDR ranges, as documented. Previously you could only pass in multiple cidr ranges with multiple --cidr command line options. (@iarna)
d259ab014 Fix token revocation when an OTP is required. Previously you had to pass it in via --otp. Now it will prompt you for an OTP like other npm token commands. (@iarna)
f8b1f6aec Update token and profile commands to support legacy (username/password) authentication. (The npm registry uses tokens, not username/password pairs, to authenticate commands.) (@iarna)
OTHER BUG FIXES:
6954dfc19 Fix a bug where packages would get pushed deeper into the tree when upgrading without an existing copy on disk. Having packages deeper in the tree ordinarily is harmless but is not when peerDependencies are in play. (@iarna)
1ca916a1e Fix bug where when switching from a linked module to a non-linked module, the dependencies of the module wouldn't be installed on the first run of npm install. (@iarna)
8c120ebb2 Fix integrity matching to eliminate spurious EINTEGRITY errors. (@zkat)
94227e15e More consistently make directories using perm and ownership preserving features. (@iarna)
DEPENDENCY UPDATES:
364b23c7f f2049f9e7 [email protected] (@zkat)
d183d7675 [email protected]: (@iarna)
ffd6ea62c [email protected]
ee63b8a31 [email protected] (@isaacs)
6f73f5509 [email protected] (@dominictarr)
26cd64869 9bc6230cf [email protected] (@zkat)
21a39be42 [email protected]:5 (@joshbruce)
dabdf57b2 [email protected]
2594c5867 [email protected] (@iarna)
8abb3f230 [email protected] (@isaacs)
11a0b00bd [email protected] (@zkat)
9b6bdb2c7 [email protected] (@sindresorhus)
d6d17d6b5 [email protected] (@mcollina)
51370aad5 [email protected] (@isaacs)
0db14bac7 81da938ab 9999e83f8 [email protected] (@zkat)
f526992ab [email protected] (@isaacs)
be096b409 dc3059522 [email protected]
6b552daac [email protected] (@broofa)
8c9011b72 [email protected] (@rvagg)

New in npm 4.6.1 Pre (Apr 22, 2017)

New in npm 4.5.0 Pre (Mar 26, 2017)

New in npm 4.1.1 (Jan 20, 2017)

New in npm 4.0.2 Pre (Nov 5, 2016)

New in npm 4.0.1 Pre (Oct 25, 2016)

New in npm 3.10.9 Pre (Oct 12, 2016)

LIFECYCLE FIXES:
d388f90 #13942 Fix current working directory while running shrinkwrap lifecycle scripts. Previously if you ran a shrinkwrap from another lifecycle script AND node_modules existed (and if you're running npm shrinkwrap it probably should) then npm would run the shrinkwrap lifecycle from the node_modules folder instead of the package folder. (@evocateur) (@iarna)
c3b6cdf #13964 Fix bug where the uninstall lifecycles weren't being run when you reinstalled/updated an existing module. (@iarna)
72bb89c #13344 When running lifecycles use TMPDIR if it's writable and fall back to the current working directory if not. Previously we just assumed TMPDIR wouldn't be writable (as we might have been running as nobody and nobody on some systems can't write to TMPDIR). (@aaronjensen)
SHRINKWRAP GIT & TAGGED DEPENDENCY FIX:
3b5eee0 #13941 Fix git and tagged dependency matching with shrinkwraps. Previously git and tag (ie foo@latest) dependencies installed from a shrinkwrap would always be flagged as invalid. (@iarna)
BUG FIXES:
bf3bd1e #14143 Fix bug in npm version where npm-shrinkwrap.json wouldn't be updated if you ran npm version from outside of your project root. (@lholmquist)
1089878 #13613 Log 'skipping action' as 'verbose' instead of 'warn'. This removes a lot of clutter when there are links in your node_modules. The long term plan is to entirely blind npm to what's inside links, which will make this code go away entirely. (@timoxley)
952f1e1 #13999 Fix a bug where setting bin to null in your package.json would result in npm crashing. (@IonicaBizau)
fcf8b11 #14032 When using npm view, if you specified a version that didn't exist it would previously print undefined (even if you asked for JSON output). It now prints nothing in this situation. This brings npm@3's behavior in line with npm@2. (@roblg)
93c689f #14032 When using npm view --json with a version range that matches multiple versions we now return a list of all of the metadata for all of those versions. Previously we picked one and only returned that. This brings npm@3's behavior in line with npm@2. (@roblg)
2411728 #14045 Fix a Windows-only bug in the git tests. The tests had rather particular ideas about what arguments would be passed to git and on Windows they got this wrong. (@watilde)
DOCUMENTATION & MISC:
30772cc #13904 Update package.json example to include GitHub branches. (@stevokk)
f66876f #14010 Update the GitHub issue template to reflect Apple's change in name of its desktop operating system. (@AlexChesters)

New in npm 3.10.6 Pre (Jul 8, 2016)

New in npm 3.10.5 Pre (Jul 6, 2016)

New in npm 3.10.3 Pre (Jun 24, 2016)

New in npm 3.10.2 (Jun 24, 2016)

New in npm 3.10.2 Pre (Jun 21, 2016)

New in npm 3.9.5 Pre (May 29, 2016)

New in npm 3.9.4 Pre (May 27, 2016)

New in npm 3.9.3 Pre (May 22, 2016)

New in npm 3.9.2 (May 22, 2016)

New in npm 3.9.1 Pre (May 13, 2016)

New in npm 3.9.0 Pre (May 6, 2016)

111ae3e #8581 When a package is fetched from the cache which cannot satisfy the version requirements, an attempt to fetch it from the network is made. This is helpful for folks using high values for --cache-min who are willing to accept possibly not-the-most-recent modules in return for less network traffic. (@Zirak)
60b9a05 #12475 Options can only start with ASCII dashes. Ordinarily this isn't a problem but many web documentation tools "helpfully" convert -- into an emdash (–), or - into an endash (–). If you copy and paste from this documentation your commands won't work the way you expect. This adds a warning that tries to be a little more descriptive about why your command is failing. (@iarna)
bb5d6cb #11444 Add AppVeyor to CI matrix. (@othiym23)
044cbab #11444 Enable coverage reporting for every test run. (@othiym23)
37c6a51 #12150 Ensure that 'npm cache ls' outputs real filenames. Previously it would sometimes double up the package name in the path it printed. (@isaacs)
d3ce0b2 #11444 Fix unbuilding bins for scoped modules. (@iarna)
e928a30 #11444 Make handling of local modules (eg npm install /path/to/my/module) more consistent when saved to a package.json. There were bugs previously where it wouldn't consistently resolve relative paths in the same way. (@iarna)
b820ed4 #11444 Under certain circumstances the paths produced for linking, either relative or absolute, would end up basing off the wrong virtual cwd. This resulted in failures for npm link in these situations. (@iarna)
7380425 #11444 Scoped module names were not being correctly inferred from the path on Windows. (@zkat)
91fc24f #11444 Explore with a command to run didn't work properly in Windows– it would pop open a new cmd window and leave it there. (@iarna)
f07e643 #11444 Move exec path escaping out to its own function. This turns out to be tricky to get right because how you escape commands to run on Windows via cmd is different then how you escape them at other times. Specifically, you HAVE to quote each directory segment that has a quote in it, that is: C:\"Program Files"\MyApp\MyApp.exe By contrast, if that were an argument to a command being run, you CAN'T DO quote it that way, instead you have to wrap the entire path in quotes, like so: "C:\Program Files\MyApp\MyApp.exe". (@iarna)
2e01d29 #11444 Create a single function for detecting if we're running on Windows (and using a Windows shell like cmd) and use this instead of doing it one-off all over the place. (@iarna)
ef0dd74 #11444 The fruits of many weeks of labor, fix our tests to pass on Windows. (@zkat) (@iarna)
8fccda8 #11444 [email protected]: Fix file URLs on Windows. (@zkat)
f53a154 [email protected]: When readable-stream is disabled, reuse result of require('stream') instead of calling it every time. (@calvinmetcalf)
02841cf #11444 [email protected]: Resolve local package paths relative to package root, not cwd. (@zkat) (@iarna)
247c1c5 #11444 [email protected]: Fix Windows file URIs with leading slashes. (@zkat)
365c72b [email protected] (@isaacs)
e568caa [email protected] (@isaacs)
304b974 #11444 [email protected] (@feross)

New in npm 3.8.9 Pre (Apr 29, 2016)

New in npm 3.8.8 Pre (Apr 22, 2016)

BAD JSON IS BAD:
769e620 #12406 Failing to parse the top level package.json should be an error. (@watilde)
DOCUMENTATION:
7d64301 #12415 Clarify that when configuring client-side certificates for authenticating to non-npm registries that cert and key are not filesystem paths and should actually include the certificate and key data. (@rvedotrc)
f8539b8 #12324 Describe how npm run sets NODE and PATH in more detail. Note that npm run changes PATH to include the current node interpreter’s directory. (@addaleax)
2b57606 #11461 Clarify the documentation for the package.json homepage field. (@stevemao)
TESTS:
b5a0fbb #12329 Fix progress config testing to ignore local user configs. Previously, any local setting would cause the tests to fail as they were trying to test what the default values for the progress bar would be in different environments and any explicit setting overrides those defaults. (@iarna)
3d195bc The lifecycle-signal test could crash on v0.8 due to its use of Number.parseInt, which isn't available in that version of node. Fortunately global.parseInt is, so we just use that instead. (@iarna)
DEPENDENCY UPDATES:
05a28e3 [email protected]: Under some circumstances file:// URLs on Windows were not handled correctly.
Also, stop converting local module/tarballs into full paths in this module. We do already do that in realize-package-specifier, which is more appropriate as it knows what package we're installing relative to. (@zkat)
ada2e93 [email protected]: Require the new npm-package-arg, plus fix a case where specifiers that were maybe a tag, maybe a local filename were resolved differently than those that were definitely a local filename. (@zkat) (@iarna)
adc515b [email protected]: A fix for AIX where a non-empty directory can cause fs.rmDir to fail with EEXIST instead of ENOTEMPTY and three new tests (@richardlau)
Code cleanup, CI & dependency updates. (@othiym23)
ef53a46 [email protected] (@isaacs)
df1f2e4 [email protected]: Fix crashes when response headers indicate gzipped content but the body is empty. Add support for the deflate content encoding. (@simov)
776c599 [email protected]: Adds READABLE_STREAM env var that, if set to disable, will make readable-stream use the local native node streams instead. (@calvinmetcalf)
10d6d55 [email protected]: Add support git+file:// type URLs. (@zkat)
75017ae [email protected] (@jdalton)

New in npm 3.8.7 Pre (Apr 8, 2016)

New in npm 3.8.6 Pre (Apr 1, 2016)

New in npm 3.8.5 Pre (Mar 25, 2016)

New in npm 3.8.3 Pre (Mar 18, 2016)

New in npm 3.8.2 Pre (Mar 11, 2016)

New in npm 3.8.1 Pre (Mar 4, 2016)

New in npm 3.8.0 Pre (Feb 26, 2016)

New in npm 3.7.5 Pre (Feb 23, 2016)

New in npm 3.7.4 Pre (Feb 21, 2016)

New in npm 3.7.3 Pre (Feb 12, 2016)

New in npm 3.7.1 Pre (Feb 2, 2016)

New in npm 3.7.0 Pre (Jan 29, 2016)

PERFORMANCE:
c680fa9 [email protected]: New are-we-there-yet with performance patches from @STRML. New gauge with timer churn performance patch. (@iarna)
1d1ea7e #11306 Use JSON clone instead of lodash.cloneDeep. (@STRML)
NEW FEATURE: GIT SUBMODULE SUPPORT:
39dea9c #1876 Add support for git submodules in git remotes. This is a fairly simple approach, which does not leverage the git caching mechanism to cache submodules. It also doesn't provide a means to disable automatic initialization, e.g. via a setting in the .gitmodules file. (@gagern)
ROBUSTNESS:
5dec02a #10347 There is an obscure feature that lets you monkey-patch npm when it starts up. If the module being required with this feature failed, it would previously just make npm error out– this reduces that to a warning. (@evanlucas)
BUG FIXES:
9ab8b8d #10820 Fix a bug with npm ls where if you asked for ONLY production dependencies in output it would exclude dependencies that were BOTH production AND development dependencies. (@davidvgalbraith)
6803fed #8982 Fix a bug where, under some circumstances, if you had a path that contained the name of a package being installed somewhere in it, npm would incorrectly refuse to run lifecycle scripts. (@elvanja)
3eae40b #9253 Fix a bug where, when running lifecycle scripts, if the Node.js binary you ran npm with wasn't in your PATH, npm wouldn't use it to run your scripts. (@segrey)
61daa6a #11014 Fix a bug where running rimraf node_modules/ followed by npm rm --save would fail. npm now correctly removes the module from your package.json even though it doesn't exist on disk. (@davidvgalbraith)
a605586 #9679 Fix a bug where npm install --save git+https://… would save a https:// url to your package.json which was a problem because npm wouldn't then know that it was a git repo. (@gagern)
bbdc700 #10063 Fix a bug where npm would change the order of array properties in the package.json files of dependencies. npm adds a bunch of stuff to package.json files in your node_modules folder for debugging and bookkeeping purposes. As a part of this process it sorts the object to reduce file churn when it does updates. This fixes a bug where the arrays in the object were also getting sorted. This wasn't a problem for properties that npm itself maintains, but is a problem for properties used by other packages. (@substack)
DOCS IMPROVEMENTS:
2609a29 #11273 Include an example of viewing package version history in the npm view documentation. (@vedatmahir)
719ea9c #11272 Fix typographical issue in npm update documentation. (@jonathanp)
cb9df5a #11215 Do not call SEE LICENSE IN an SPDX expression, as it's not. (@kemitchell)
f427934 #11196 Correct the package.json examples in the npm update documentation to actually be valid JSON and not just JavaScript object literals. (@s100)
DEPENDENCY UPDATES:
a7b2407 [email protected]: New features and interface agnostic refactoring. (@tim-kos)
220fc77 [email protected]: A bunch of small bug fixes and module updates. (@simov)
9e5c84f [email protected]: Update isexe and fix bug in pathExt, in which files without extensions would sometimes be preferred to files with extensions on Windows, even though those without extensions aren't executable. pathExt is a list of extensions that are considered executable (exe, cmd, bat, com on Windows). (@isaacs)
375b9c4 [email protected]: Minor doc formatting fixes. (@isaacs)
ef1971e [email protected]: Misc minor code cleanup. No functional changes. (@jdalton)

New in npm 3.6.0 Pre (Jan 22, 2016)

NEW FEATURE:
ff504d4 #8752 In npm outdated, report symlinked packages as having a wanted & latest version of linked. (@halhenke)
f44d8c9 #10775 Add a success message to adduser / login. (@ekmartin)
3109303 #10043 Warn if you try to use npm run x if you don't have a node_modules folder, since whatever you're trying to do probably won't work. (@timkrins)
9ed2849 e9f1ad8 f10d300 8b593d8 #10717 npm version can now take a from-git argument, which instructs npm to read the version from git and update your package.json to what it finds. This is in contrast to its normal use where npm tells git about your new version. (@ekmartin)
BETTER NODE PRE-RELEASE SUPPORT:
6952f79 #11212 Engine check warnings are now issued along with any other warnings about your tree, instead of emitting in the middle of your install (and then disappearing behind the giant tree of stuff installed). (@iarna)
ee2ebe9 #11212 Suppress engine verification warnings about pre-release versions of Node.js. (@iarna)
135b7e0 #11212 Explicitly warn, in only one place, if you are using a pre-release version of Node.js. (@iarna)
BUG FIXES:
ea331c8 #10938 When removing a package, sometimes the node_modules/.bin wouldn't be cleaned up entirely. This would result in package folders that contained only a node_modules/.bin directory. In turn, this would result in npm ls and other tools complaining about these broken directories. To fix this, the unbuild step now explicitly deletes the node_modules/.bin folder as its final step. (@chrisirhc)
00720db #11158 On windows, the node-gyp wrapper would fail if your path to node-gyp contained spaces. This fixes that problem by quoting use of that path. (@orangemocha)
69ac933 #11142 Fix a race condition when making directories in the cache, which could lead to ENOENT failures. (@Jimbly)
e982858 #9696 When replacing the package.json in the cache you sometimes see EPERM errors on Windows that you wouldn't on Unix-like operating systems. This ignores those errors and allows Windows to continue. Longer term, we'll be adding something to retry these errors, but ultimately fail if there really is an ongoing permissions issue. (@orangemocha)
DOC CHANGES:
3666081 #11188 Add brief description to publish documentation of what's included in published tarballs. (@beaugunderson)
b463e34 #11150 In npm update docs, advise use of --depth Infinity instead of --depth 9999. (@halhenke)
382e71a #11128 In the package.json docs, make the reference to the "Local Paths" section a link to it as well. (@orangejulius)
5277e7f #11090 Fix the 3.5.4 release date in CHANGELOG.md. (@ashleygwilliams)
e6d238a #11130 Eliminate the "using npm programmatically" section from the README. The documentation for this was removed a while ago and is unsupported. (@ljharb)
DEPENDENCY UPDATES:
b0dde5c [email protected]: Update tests for most recent version of ini. (@dominictarr)
c62f414 [email protected]: Eliminated use of util._extend. (@isaacs)
98a6779 [email protected]: Bug fixes, including the non-linear performance that was biting npm a while back. (@jdalton)
0e8c4ce [email protected] (@jdalton)
1fd19f5 [email protected] (@jdalton)
b7486c5 [email protected] (@jdalton)
54bb591 [email protected] (@jdalton)
26f7a7a [email protected] (@jdalton)
ed38bd3 [email protected] (@jdalton)

New in npm 3.5.4 Pre (Jan 8, 2016)

DOCUMENTATION IMPROVEMENTS:
6b0031e #11044 Correct documentation regarding the defaults for the color config option. (@scottaddie)
c6ce69e #10990 Drop mentions in documentation of process.installPrefix, as it hasn't been a thing since Node.js 0.6 and we don't support that. (@jeffmcmahan)
dee92d1 #11037 Clarify the documentation on the max length of the name property in package.json files. (@scottaddie)
4b9d7bb #10787 Make the formatting in the documentation for npm dist-tag more consistent with other docs. (@cvrebert)
7f77a80 #10787 Add documentation to the npm dist-tag docs that explains in greater detail how latest is different than other tags. Further, improve the documentation with better examples. Add a discussion of common practice for using dist tags to manage alpha's and beta's. (@cvrebert)
6db58dd 2ee6371 #10788 #10789 Improve documentation cross referencing. (@cvrebert)
7ba629a #10790 Document more clearly that npm install foo means npm install foo@latest. (@cvrebert)
A FEW MODULE UPDATES:
fc2e8d5 [email protected]: Remove deprecated features and fix a bunch of bugs. (@isaacs)
5b820c4 [email protected]: Change the default on windows to be false, as international windows installs often install to non-unicode codepages and there's no way to detect this short of a system call or a call to a command line program. (@iarna)
238fe84 [email protected]: Fixed bugs with uid/gid checks and with quoted windows PATH parts. (@isaacs)
5e510e1 [email protected]: Add ability to disable glob support / pass in options. (@isaacs)
7558215 [email protected]: Minor performance improvements. (@calvinmetcalf)
64e8499 [email protected]: Rewrite to use modern streams even on 0.8 plus a bunch of tests. (@iarna)
74d92a0 [email protected]: Some bug fixes around large inputs. (@timoxley)
FIX NPM'S TESTS ON 0.8:
b14cdbb #10872 Rewrite tests using nock to use other alternatives. (@zkat)
59ed01a #10872 Node.js 0.8 http streams have a bug, where if they're paused with data in their buffers when the socket closes, they call end before emptying those buffers, which results in the entire pipeline ending and thus the point that applied backpressure never being able to trigger a resume.

New in npm 3.5.3 Pre (Dec 11, 2015)

New in npm 3.5.2 Pre (Dec 4, 2015)

New in npm 3.5.1 Pre (Nov 28, 2015)

New in npm 3.5.0 Pre (Nov 20, 2015)

TEEN ORCS AT THE GATES:
This week heralds the general release of the primary npm registry's new support for private packages for organizations. For many potential users, it's the missing piece needed to make it easy for you to move your organization's private work onto npm. And now it's here! The functionality to support it has been in place in the CLI for a while now, thanks to @zkat's hard work.
During our final testing before the release, our ace support team member @snopeks noticed that there had been some drift between the CLI team's implementation and what npm was actually preparing to ship. In the interests of everyone having a smooth experience with this extremely useful new feature, we quickly made a few changes to square up the CLI and the web site experiences.
d7fb92d #9327 npm access no longer has problems when run in a directory that doesn't contain a package.json. (@othiym23)
17df3b5 npm/npm-registry-client#126 [email protected]: Allow the CLI to grant, revoke, and list permissions on unscoped (public) packages on the primary registry. (@othiym23)
NON-OPTIONAL INSTALLS, DEFINITELY NON-OPTIONAL:
180263b #10465 When a non-optional dep fails, we check to see if it's only required by ONLY optional dependencies. If it is, we make it fail all the deps in that chain (and roll them back). If it isn't then we give an error.
We do this by walking up through all of our ancestors until we either hit an optional dependency or the top of the tree. If we hit the top, we know to give the error.
If you installed a module by hand but didn't --save it, your module won't have the top of the tree as an anscestor and so this code was failing to abort the install with an error
This updates the logic so that hitting the top OR a module that was requested by the user will trigger the error message. (@iarna)
b726a0e #9204 Ideally we would like warnings about your install to come AFTER the output from your compile steps or the giant tree of installed modules.
To that end, we've moved warnings about failed optional deps to the show after your install completes. (@iarna)
OVERRIDING BUNDLING:
aed71fb #10482 We've been in our bundled modules code a lot lately, and our last go at this introduced a new bug, where if you had a module a that bundled a module b, which in turn required c, and the version of c that got bundled wasn't compatible with b's package.json, we would then install a compatible version of c, but also erase b at the same time.
This fixes that. It also reworks our bundled module support to be much closer to being in line with how we handle non-bundled modules and we're hopeful this will reduce any future errors around them. The new structure is hopefully much easier to reason about anyway. (@iarna)
A BRIEF NOTE ON NPM'S BACKWARDS COMPATIBILITY:
We don't often have much to say about the changes we make to our internal testing and tooling, but I'm going to take this opportunity to reiterate that npm tries hard to maintain compatibility with a wide variety of Node versions. As this change shows, we want to ensure that npm works the same across: Node.js 0.8, Node.js 0.10, Node.js 0.12, the latest io.js release, Node.js 4 LTS, Node.js 5
Contributors who send us pull requests often notice that it's very rare that our tests pass across all of those versions (ironically, almost entirely due to the packages we use for testing instead of any issues within npm itself). We're currently beginning an effort, lasting the rest of 2015, to clean up our test suite, and not only get it passing on all of the above versions of Node.js, but working solidly on Windows as well. This is a compounding form of technical debt that we're finally paying down, and our hope is that cleaning up the tests will produce a more robust CLI that's a lot easier to write patches for.
791ec6b #10233 Update Node.js versions that Travis uses to test npm. (@iarna)
0.8 + npm

New in npm 3.4.1 Pre (Nov 13, 2015)

New in npm 3.4.0 (Nov 13, 2015)

New in npm 3.3.12 Pre (Nov 3, 2015)

New in npm 3.3.10 (Oct 30, 2015)

New in npm 3.3.11 Pre (Oct 30, 2015)

New in npm 2.14.8 (Oct 23, 2015)

New in npm 3.3.9 Pre (Oct 16, 2015)

New in npm 3.3.8 Pre (Oct 13, 2015)

New in npm 3.3.7 Pre (Oct 10, 2015)

New in npm 3.3.3 Pre (Sep 11, 2015)

New in npm 3.3.2 Pre (Sep 5, 2015)

New in npm 3.3.1 Pre (Aug 28, 2015)

New in npm 2.14.0 (Aug 21, 2015)

New in npm 3.3.0 Pre (Aug 15, 2015)

New in npm 3.2.2 Pre (Aug 10, 2015)

New in npm 2.13.1 (Jul 17, 2015)

New in npm 3.1.2 Pre (Jul 14, 2015)

New in npm 3.1.1 Pre (Jul 10, 2015)

New in npm 2.13.0 (Jul 10, 2015)

New in npm 3.1.0 Pre (Jul 6, 2015)

New in npm 2.12.1 Pre (Jun 26, 2015)

New in npm 2.12.0 Pre (Jun 19, 2015)

New in npm 2.11.3 Pre (Jun 12, 2015)

New in npm 2.11.2 Pre (Jun 5, 2015)

New in npm 2.11.1 Pre (May 29, 2015)

New in npm 2.11.0 Pre (May 22, 2015)

FEATURELETS:
b07f7c7 #7906 Add new scripts to allow you to run scripts before and after the npm version command has run. This makes it easy to, for instance, require that your test suite passes before bumping the version by just adding "preversion": "npm test" to the scripts section of your package.json. (@watilde)
8a46136 #8185 When we get a "not found" error from the registry, we'll now check to see if the package name you specified is invalid and if so, give you a better error message. (@thefourtheye)
BUG FIXES:
9bcf573 #8324 On Windows, when you've configured a custom node-gyp, run it with node itself instead of using the default open action (which is almost never what you want). (@bangbang93)
1da9b04 #7195 #7260 [email protected]: (Re-)allow publication of existing mixed-case packages (part 1). (@smikes)
e926783 #7195 #7260 [email protected]: (Re-)allow publication of existing mixed-case packages (part 2). (@smikes)
DOCUMENTATION IMPROVEMENTS:
f62ee05 #8314 Update the README to warn folks away from using the CLI's internal API. For the love of glob, just use a child process to run the CLI! (@claycarpenter)
1093921 #8279 Update the documentation to note that, yes, you can publish scoped packages to the public registry now! (@mantoni)
f87cde5 #8292 Fix typo in an example and grammar in the description in the shrinkwrap documentation. (@vshih)
d3526ce Improve the formatting in the shrinkwrap documentation. (@othiym23)
19fe6d2 #8311 Update README.md to use syntax highlighting in its code samples and bits of shell scripts. (@SimenB)
DEPENDENCY UPDATES! ALWAYS AND FOREVER:
fc52160 #4700 #5044 [email protected]: Make entering an invalid version while running npm init give you an immediate error and prompt you to correct it. (@watilde)
738853e #7763 [email protected]: Fix a bug where errors would not propagate, making error messages unhelpful. (@iarna)
6d74a2d [email protected]: Fix tests on windows (@Bacra) and with more recent hosted-git-info. (@iarna)
50f7178 [email protected]: Correct spelling in its documentation. (@iarna)
d7956ca [email protected]: Fix a bug where unusual error conditions could make further use of the module fail. (@isaacs)
44f7d74 [email protected]: Update to the most recent tap to get a whole host of bug fixes and integration with coveralls. (@isaacs)
c21e8a8 [email protected] (@othiym23)
LICENSE FILES FOR THE LICENSE GOD:
Add missing ISC license file to package (@kasicka):
aa9908c [email protected]
23a3b1a [email protected]
8e04bba [email protected]
50f7178 [email protected]
6a54917 [email protected]
971f92c [email protected]
67b50b7 [email protected]
SPDX LICENSE UPDATES:
Switch license to BSD-2-Clause from plain "BSD" (@isaacs):
efdb733 [email protected]
e926783 [email protected]
Switch license to ISC from BSD (@isaacs):
c300956 [email protected]
1de1253 [email protected]
0d5698a [email protected]
2e84921 [email protected]
872fac9 [email protected]
01eb7f6 [email protected]
294336f [email protected]
ebdf6a1 [email protected]
Switch license to ISC from MIT (@isaacs):
e5d237f [email protected]
79fef14 [email protected]
22527da [email protected]
882ac87 [email protected]
9d9d015 [email protected]

New in npm 2.10.1 Pre (May 15, 2015)

New in npm 2.10.0 (May 11, 2015)

New in npm 2.9.1 Pre (May 1, 2015)

WOW! MORE GIT FIXES! YOU LOVE THOSE:
178a6ad #7202 When caching git dependencies, do so by the whole URL, including the branch name, so that if a single application depends on multiple branches from the same repository (in practice, multiple version tags), every install is of the correct version, instead of reusing whichever branch the caching process happened to check out first. (@iarna)
63b79cc #8084 Ensure that Bitbucket, GitHub, and Gitlab dependencies are installed the same way as non-hosted git dependencies, fixing npm install --link. (@laiso)
DOCUMENTATION FIXES AND TWEAKS:
ca478dc #8137 Somehow, we had failed to clearly document the full restrictions on package names. @linclark has now fixed that, although we will take with us to our graves the reasons why the maximum package name length is 214 characters (well, OK, it was that that was the longest name in the registry when we decided to put a cap on the name length). (@linclark)
b574076 #8079 Make the npm shrinkwrap documentation use code formatting for examples consistently. It would be great to do this for more commands HINT HINT. (@RichardLitt)
1ff636e #8105 Document that the global npmrc goes in $PREFIX/etc/npmrc, instead of $PREFIX/npmrc. (@anttti)
c3f2f7c #8127 Document how to use npm run build directly (hint: it's different from npm build!). (@mikemaccana)
873e467 #8069 Take the old, dead npm mailing list address out of package.json. It seems that people don't have much trouble figuring out how to report errors to npm. (@robertkowalski)
ENROBUSTIFICATIONMENT:
5abfc9c #7973 npm run-script completion will only suggest run scripts, instead of including dependencies. If for some reason you still wanted it to suggest dependencies, let us know. (@mantoni)
4b564f0 #8081 Use osenv to parse the environment's PATH in a platform-neutral way. (@watilde)
a4b6238 #8094 When we refactored the configuration code to split out checking for IPv4 local addresses, we inadvertently completely broke it by failing to return the values. In addition, just the call to os.getInterfaces() could throw on systems where querying the network configuration requires elevated privileges (e.g. Amazon Lambda). Add the return, and trap errors so they don't cause npm to explode. Thanks to @mhart for bringing this to our attention! (@othiym23)
DEPENDENCY UPDATES WAIT FOR NO SOPHONT:
000cd8b [email protected]: More informative assertions on argument validation failure. (@isaacs)
530a2e3 [email protected]: Revert to old key access-time behavior, as it was correct all along. (@isaacs)
d88958c [email protected]: Feature detection and test improvements. (@isaacs)
3fa39e4 [email protected] (@pgte)

New in npm 2.9.0 (May 1, 2015)

New in npm 2.9.0 Pre (Apr 24, 2015)

New in npm 2.8.4 (Apr 24, 2015)

New in npm 2.8.4 Pre (Apr 17, 2015)

New in npm 2.8.3 (Apr 17, 2015)

New in npm 2.8.3 Pre (Apr 16, 2015)

New in npm 2.8.2 Pre (Apr 15, 2015)

New in npm 2.8.1 Pre (Apr 14, 2015)

New in npm 2.8.0 Pre (Apr 11, 2015)

Changes:
Instead of converting the GitHub shorthand syntax to a git+ssh:, git:, or git+https: URL and saving that, save the shorthand itself to package.json.
If presented with shortcuts, try cloning via the git protocol, SSH, and HTTPS (in that order).
No longer prompt for credentials -- it didn't work right with the spinner, and wasn't guaranteed to work anyway. We may experiment with doing this a better way in the future. Users can override this by setting GIT_ASKPASS in their environment if they want to experiment with interactive cloning, but should also set --no-spin on the npm command line (or run npm config set spin=false).
EXPERIMENTAL FEATURE: Add support for github:, gist:, bitbucket:, and gitlab: shorthand prefixes. GitHub shortcuts will continue to be normalized to org/repo instead of being saved as github:org/repo, but gitlab:, gist:, and bitbucket: prefixes will be used on the command line and from package.json. BE CAREFUL WITH THIS. package.json files published with the new shorthand syntax can only be read by [email protected] and later, and this feature is mostly meant for playing around with it. If you want to save git dependencies in a form that older versions of npm can read, use --save-exact, which will save the git URL and resolved commit hash of the head of the branch in a manner simiilar to the way that --save-exact pins versions for registry dependencies. This is documented (so check npm help install for details), but we're not going to make a lot of noise about it until it has a chance to bake in a little more
6b0f588 #7867 Use git shorthand and git URLs as presented by user. Support new hosted-git-info shortcut syntax. Save shorthand in package.json. Try cloning via git:, git+ssh:, and git+https:, in that order, when supported by the underlying hosting provider. (@othiym23)
75d4267 #7867 Document new GitHub, GitHub gist, Bitbucket, and GitLab shorthand syntax. (@othiym23)
7d92c75 #7867 When --save-exact is used with git shorthand or URLs, save the fully-resolved URL, with branch name resolved to the exact hash for the commit checked out. (@othiym23)
9220e59 #7867 Ensure that non-prefixed and non-normalized GitHub shortcuts are saved to package.json. (@othiym23)
dd398e9 #7867 [email protected]: Ensure that gist: shorthand survives being round-tripped through package.json. (@othiym23)
33d1420 #7867 [email protected]: Add support for auth embedded directly in git URLs. (@othiym23)
23a1d5a #7867 [email protected]: Make it possible to determine in which form a hosted git URL was passed. (@iarna)
eaf75ac #7867 [email protected]: Normalize GitHub specifiers so they pass through shortcut syntax and preserve explicit URLs. (@iarna)
95e0535 #7867 [email protected]: Add git URL and shortcut to hosted git spec and use [email protected]. (@iarna)
a808926 #7867 [email protected]: Use [email protected] and test shortcut specifier behavior. (@iarna)
6dd1e03 #7867 [email protected]: Allow dependency on [email protected]. (@iarna)
63254bb #7867 [email protected]: Use [email protected]. (@iarna)
254b887 #7867 [email protected]: Use [email protected]. (@iarna)
0b9f8be #7867 [email protected]: Mark compatibility with [email protected] and [email protected]. (@iarna)
f40ecaa #7867 Extract a common method to use when cloning git repos for testing. (@othiym23)
TEST FIXES FOR NODE 0.8:
26d36e9 #7842 When spawning child processes, map exit code 127 to ENOENT so Node 0.8 handles child process failures the same as later versions. (@SonicHedgehog)
54cd895 #7842 Node 0.8 requires -e with -p when evaluating snippets; fix test. (@SonicHedgehog)
SMALL FIX AND DOC TWEAK:
20e9003 [email protected]: Fix regression where relative symbolic links within an extraction root that pointed within an extraction root would get normalized to absolute symbolic links. (@isaacs)
2ef8898 #7879 Better document that npm publish --tag=foo will not set latest to that version. (@linclark)

New in npm 2.7.6 Pre (Apr 3, 2015)

New in npm 2.7.5 (Mar 27, 2015)

New in npm 2.7.4 Pre (Mar 20, 2015)

New in npm 2.7.3 Pre (Mar 17, 2015)

New in npm 2.7.2 (Mar 13, 2015)

New in npm 2.7.1 (Mar 13, 2015)

GITSANITY:
6823807 #7121 npm install --save for Git dependencies saves the URL passed in, instead of the temporary directory used to clone the remote repo. Fixes using Git dependencies when shrinkwwapping. In the process, rewrote the Git dependency caching code. Again. No more single-letter variable names, and a much clearer workflow. (@othiym23)
c8258f3 #7486 When installing Git remotes, the caching code was passing in the function gitEnv instead of the results of invoking it. (@functino)
c618eed #2556 Make it possible to install Git dependencies when using --link by not linking just the Git dependencies. (@smikes)
WHY DID THIS TAKE SO LONG:
abdd040 [email protected]: Provide more helpful error messages when JSON parse errors are encountered by using a more forgiving JSON parser than JSON.parse. (@smikes)
BUGS & TWEAKS:
c56cfcd #7525 npm dedupe handles scoped packages. (@KidkArolis)
1b8ba74 #7531 npm stars and npm whoami will no longer send the registry the error text saying you need to log in as your username. (@othiym23)
6de1e91 #6441 Prevent needless reinstalls by only updating packages when the current version isn't the same as the version returned as wanted by npm outdated. (@othiym23)
2abc3ee Add npm upgrade as an alias for npm update. (@othiym23)
bcd4722 #7508 FreeBSD uses EAI_FAIL instead of ENOTFOUND. (@othiym23)
21c1ac4 #7507 Update support URL in generic error handler to https: from http:. (@watilde)
b6bd99a #7492 On install, the package.json engineStrict deprecation only warns for the current package. (@othiym23)
4ef1412 #7075 If you try to tag a release as a valid semver range, npm publish and npm tag will error early instead of proceeding. (@smikes)
ad53d0f Use rimraf in npm build script because Windows doesn't know what rm is. (@othiym23)
8885c4d [email protected]: Better Windows support. (@isaacs)
8885c4d [email protected]: Handle bad symlinks properly. (@isaacs)
TYPOS & CLARIFICATIONS:
42c605c Fix typo in CHANGELOG.md (@adrianblynch)
c9bd58d Add note about node_modules/.bin being added to the path in npm run-script. (@quarterto)
903bdd1 Matt Ranney confused the world when he renamed node-redis to redis. "The world" includes npm's documentation. (@RichardLitt)
dea9bb2 Fix typo in contributor link. (@watilde)
1226ca9 Properly close code block in npm-install.md. (@olizilla)

New in npm 2.7.0 (Mar 7, 2015)

A SMALL FEATURE WITH BIG IMPLICATIONS:
145af65 #4887 Replace calls to the node-gyp script bundled with npm by passing the --node-gyp=/path/to/node-gyp option to npm. Swap in pangyp or a version of node-gyp modified to work better with io.js without having to touch npm's code! (@ackalker)
@WATILDE'S NPM USABILITY CORNER:
448efd0 #2853 Add support for --dev and --prod to npm ls, so that you can list only the trees of production or development dependencies, as desired. (@watilde)
a0a8777 #7463 Split the list printed by npm run-script into lifecycle scripts and scripts directly invoked via npm run-script. (@watilde)
a5edc17 #6749 [email protected]: Support for passing scopes to npm init so packages are initialized as part of that scope / organization / team. (@watilde)
SMALLER FEATURES AND FIXES:
f33e8b8 #7354 Add --if-present flag to allow e.g. CI systems to call (semi-) standard build tasks defined in package.json, but don't raise an error if no such script is defined. (@jussi-kalliokoski)
7bf85cc #4005 #6248 Globally unlink a package when npm rm / npm unlink is called with no arguments. (@isaacs)
a2e04bd #7294 Ensure that when depending on git+ URLs, npm doesn't keep tacking additional git+ prefixes onto the front. (@twhid)
0f87f5e #6422 When depending on GitHub private repositories, make sure we construct the Git URLS correctly. (@othiym23)
50f461d #4595 Support finding compressed manpages. It's still up to the system to figure out how to display them, though. (@pshevtsov)
44da664 #7465 When calling git, log the full command, with all arguments, on error. (@thriqon)
9748d5c Add parent to error on ETARGET error. (@davglass)
37038d7 #4663 Remove hackaround for Linux tests, as it's evidently no longer necessary. (@mmalecki)
d7b7853 #2612 Add support for path completion on npm install, which narrows completion to only directories containing package.json files. (@deestan)
628fcdb Remove all command completion calls to -/short, because it's been removed from the primary registry for quite some time, and is generally a poor idea on any registry with more than a few hundred packages. (@othiym23)
3f6061d #6659 Instead of removing zsh completion global, make it a local instead. (@othiym23)
DOCUMENTATION TWEAKS:
5bc70e6 #7417 Provide concrete examples of how the new npm update defaults work in practice, tied to actual test cases. Everyone interested in using npm update -g now that it's been fixed should read these documents, as should anyone interested in writing documentation for npm. (@smikes)
8ac6f21 #6543 Clarify npm-scripts warnings to de-emphasize dangers of using install scripts. (@zeke)
ebe3b37 #6711 Note that git tagging of versions can be disabled via --no-git-tag-verson. (@smikes)
2ef5771 #6711 Document git-tag-version configuration option. (@KenanY)
95e59b2 Document that NODE_ENV=production behaves analogously to --production on npm install. (@stefaneg)
687117a #7463 Document the new script grouping behavior in the man page for npm run-script. (@othiym23)
536b2b6 Rescue one of the the disabled tests and make it work properly. (@smikes)
DEPENDENCY UPDATES:
89fc6a4 [email protected]: Test for being run as root, as well as the current user. (@isaacs)
5d0612f [email protected]: Better error message to explain why calling sync glob with a callback results in an error. (@isaacs)
64b07f6 [email protected]: More accurate counts of pending & skipped tests. (@rmg)
8fda451 [email protected]: Make official the fact that node-semver has moved from @isaacs's organization to @npm's. (@isaacs)

New in npm 2.7.0 Pre (Feb 28, 2015)

A SMALL FEATURE WITH BIG IMPLICATIONS:
145af65 #4887 Replace calls to the node-gyp script bundled with npm by passing the --node-gyp=/path/to/node-gyp option to npm. Swap in pangyp or a version of node-gyp modified to work better with io.js without having to touch npm's code! (@ackalker)
@WATILDE'S NPM USABILITY CORNER:
448efd0 #2853 Add support for --dev and --prod to npm ls, so that you can list only the trees of production or development dependencies, as desired. (@watilde)
a0a8777 #7463 Split the list printed by npm run-script into lifecycle scripts and scripts directly invoked via npm run-script. (@watilde)
a5edc17 #6749 [email protected]: Support for passing scopes to npm init so packages are initialized as part of that scope / organization / team. (@watilde)
SMALLER FEATURES AND FIXES:
f33e8b8 #7354 Add --if-present flag to allow e.g. CI systems to call (semi-) standard build tasks defined in package.json, but don't raise an error if no such script is defined. (@jussi-kalliokoski)
7bf85cc #4005 #6248 Globally unlink a package when npm rm / npm unlink is called with no arguments. (@isaacs)
a2e04bd #7294 Ensure that when depending on git+ URLs, npm doesn't keep tacking additional git+ prefixes onto the front. (@twhid)
0f87f5e #6422 When depending on GitHub private repositories, make sure we construct the Git URLS correctly. (@othiym23)
50f461d #4595 Support finding compressed manpages. It's still up to the system to figure out how to display them, though. (@pshevtsov)
44da664 #7465 When calling git, log the full command, with all arguments, on error. (@thriqon)
9748d5c Add parent to error on ETARGET error. (@davglass)
37038d7 #4663 Remove hackaround for Linux tests, as it's evidently no longer necessary. (@mmalecki)
d7b7853 #2612 Add support for path completion on npm install, which narrows completion to only directories containing package.json files. (@deestan)
628fcdb Remove all command completion calls to -/short, because it's been removed from the primary registry for quite some time, and is generally a poor idea on any registry with more than a few hundred packages. (@othiym23)
3f6061d #6659 Instead of removing zsh completion global, make it a local instead. (@othiym23)
DOCUMENTATION TWEAKS:
5bc70e6 #7417 Provide concrete examples of how the new npm update defaults work in practice, tied to actual test cases. Everyone interested in using npm update -g now that it's been fixed should read these documents, as should anyone interested in writing documentation for npm. (@smikes)
8ac6f21 #6543 Clarify npm-scripts warnings to de-emphasize dangers of using install scripts. (@zeke)
ebe3b37 #6711 Note that git tagging of versions can be disabled via --no-git-tag-verson. (@smikes)
2ef5771 #6711 Document git-tag-version configuration option. (@KenanY)
95e59b2 Document that NODE_ENV=production behaves analogously to --production on npm install. (@stefaneg)
687117a #7463 Document the new script grouping behavior in the man page for npm run-script. (@othiym23)
536b2b6 Rescue one of the the disabled tests and make it work properly. (@smikes)
DEPENDENCY UPDATES:
89fc6a4 [email protected]: Test for being run as root, as well as the current user. (@isaacs)
5d0612f [email protected]: Better error message to explain why calling sync glob with a callback results in an error. (@isaacs)
64b07f6 [email protected]: More accurate counts of pending & skipped tests. (@rmg)
8fda451 [email protected]: Make official the fact that node-semver has moved from @isaacs's organization to @npm's. (@isaacs)