v6.6.0

REFACTORING OUT npm-REGISTRY-CLIENT

Today is an auspicious day! This release marks the end of a massive internal refactor to npm that means we finally got rid of the legacy npm-registry-client in favor of the shiny, new, window.fetch-like npm-registry-fetch.

Now, the installer had already done most of this work with the release of npm@5, but it turns out every other command still used the legacy client. This release updates all of those commands to use the new client, and while we're at it, adds a few extra goodies:

• All OTP-requiring commands will now prompt. --otp is no longer required for dist-tag, access, et al.
• We're starting to integrate a new config system which will eventually get extracted into a standalone package.
• We now use libnpm for the API functionality of a lot of our commands! That means you can install a library if you want to write your own tooling around them.
• There's now an npm org command for managing users in your org.
• pacote now consumes npm-style configurations, instead of its own naming for various config vars. This will make it easier to load npm configs using libnpm.config and hand them directly to pacote.

There's too many commits to list all of them here, so check out the PR if you're curious about details:

• c5af34c05 npm-registry-client@REMOVED (@zkat)
• 4cca9cb90 ad67461dc 77625f9e2 6e922aefb 584613ea8 64de4ebf0 6cd87d1a9 2786834c0 514558e09 dec07ebe3 084741913 45aff0e02 846ddcc44 8971ba1b9 99156e081 ab2155306 b37a66542 d2af0777a e0b4c6880 ff72350b4 6ed943303 90a069e7d b24ed5fdc ec9fcc14f 8a56fa39e 41d19e18f 125ff9551 1c3b226ff 3c0a7b06b 08fcb3f0f c8135d97a ae936f22c #2

NEW FEATURES

• 02c837e01 #106 Make npm dist-tags the same as npm dist-tag ls. (@isaacs)
• 1065a7809 #65 Add support for IBM i. (@dmabupt)
• a22e6f5fc #131 Update profile to support new npm-profile API. (@zkat)

BUGFIXES

• 890a74458 npm.community#3278 Fix support for passing git binary path config with --git. (@larsgw)
• 90e55a143 npm.community#2713 Check for npm.config's existence in error-handler.js to prevent weird errors when failures happen before config object is loaded. (@BeniCheni)
• 134207174 npm.community#2569 Fix checking for optional dependencies. (@larsgw)
• 7a2f6b05d npm.community#4172 Remove tink experiments. (@larsgw)
• c5b6056b6 #123 Handle git branch references correctly. (@johanneswuerbach)
• f58b43ef2 npm.community#3983 Report any errors above 400 as potentially not supporting audit. (@zkat)
• a5c9e6f35 #124 Set default homepage to an empty string. (@anchnk)
• 5d076351d npm.community#4054 Fix npm-prefix description. (@larsgw)

DOCS

• 31a7274b7 #71 Fix typo in npm-token documentation. (@GeorgeTaveras1231)
• 2401b7592 Correct docs for fake-registry interface. (@iarna)

DEPENDENCIES

• 9cefcdc1d [email protected] (@zkat)
• 1c769c9b3 [email protected] (@zkat)
• f3bc5539b [email protected] (@zkat)
• bf7199d3c [email protected] (@zkat)
• 118c50496 [email protected] (@isaacs)
• eab4df925 [email protected] (@zkat)
• b86e51573 [email protected] (@zkat)
• 56fffbff2 [email protected] (@zkat)
• df972e948 npm-profile@REMOVED
  (@zkat)
• 32c73bf0e [email protected] (@zkat)
• 569491b80 [email protected] (@zkat)
• a3ba0ccf1 move rimraf to prod deps
  (@zkat)
• f63a0d6cf [email protected] (@zkat)
• f350e714f [email protected] (@aeschright)
• a67e4d8b2 [email protected] (@aeschright)
• [8bea4efa3](8...

v6.6.0-next.1

REFACTORING OUT npm-REGISTRY-CLIENT

Today is an auspicious day! This release marks the end of a massive internal refactor to npm that means we finally got rid of the legacy npm-registry-client in favor of the shiny, new, window.fetch-like npm-registry-fetch.

Now, the installer had already done most of this work with the release of npm@5, but it turns out every other command still used the legacy client. This release updates all of those commands to use the new client, and while we're at it, adds a few extra goodies:

• All OTP-requiring commands will now prompt. --otp is no longer required for dist-tag, access, et al.
• We're starting to integrate a new config system which will eventually get extracted into a standalone package.
• We now use libnpm for the API functionality of a lot of our commands! That means you can install a library if you want to write your own tooling around them.
• There's now an npm org command for managing users in your org.
• pacote now consumes npm-style configurations, instead of its own naming for various config vars. This will make it easier to load npm configs using libnpm.config and hand them directly to pacote.

There's too many commits to list all of them here, so check out the PR if you're curious about details:

• c5af34c05 npm-registry-client@REMOVED (@zkat)
• 4cca9cb90 ad67461dc 77625f9e2 6e922aefb 584613ea8 64de4ebf0 6cd87d1a9 2786834c0 514558e09 dec07ebe3 084741913 45aff0e02 846ddcc44 8971ba1b9 99156e081 ab2155306 b37a66542 d2af0777a e0b4c6880 ff72350b4 6ed943303 90a069e7d b24ed5fdc ec9fcc14f 8a56fa39e 41d19e18f 125ff9551 1c3b226ff 3c0a7b06b 08fcb3f0f c8135d97a ae936f22c #2

NEW FEATURES

• 02c837e01 #106 Make npm dist-tags the same as npm dist-tag ls. (@isaacs)
• 1065a7809 #65 Add support for IBM i. (@dmabupt)
• a22e6f5fc #131 Update profile to support new npm-profile API. (@zkat)

BUGFIXES

• 890a74458 npm.community#3278 Fix support for passing git binary path config with --git. (@larsgw)
• 90e55a143 npm.community#2713 Check for npm.config's existence in error-handler.js to prevent weird errors when failures happen before config object is loaded. (@BeniCheni)
• 134207174 npm.community#2569 Fix checking for optional dependencies. (@larsgw)
• 7a2f6b05d npm.community#4172 Remove tink experiments. (@larsgw)
• c5b6056b6 #123 Handle git branch references correctly. (@johanneswuerbach)
• f58b43ef2 npm.community#3983 Report any errors above 400 as potentially not supporting audit. (@zkat)
• a5c9e6f35 #124 Set default homepage to an empty string. (@anchnk)
• 5d076351d npm.community#4054 Fix npm-prefix description. (@larsgw)

DOCS

• 31a7274b7 #71 Fix typo in npm-token documentation. (@GeorgeTaveras1231)
• 2401b7592 Correct docs for fake-registry interface. (@iarna)

DEPENDENCIES

• 9cefcdc1d [email protected] (@zkat)
• 1c769c9b3 [email protected] (@zkat)
• f3bc5539b [email protected] (@zkat)
• bf7199d3c [email protected] (@zkat)
• 118c50496 [email protected] (@isaacs)
• eab4df925 [email protected] (@zkat)
• b86e51573 [email protected] (@zkat)
• 56fffbff2 [email protected] (@zkat)
• df972e948 npm-profile@REMOVED
  (@zkat)
• 32c73bf0e [email protected] (@zkat)
• 569491b80 [email protected] (@zkat)
• a3ba0ccf1 move rimraf to prod deps
  (@zkat)
• f63a0d6cf [email protected] (@zkat)
• f350e714f [email protected] (@aeschright)
• a67e4d8b2 [email protected] (@aeschright)
• [8bea4efa3](8...

v6.6.0-next.0

REFACTORING OUT npm-REGISTRY-CLIENT

Today is an auspicious day! This release marks the end of a massive internal refactor to npm that means we finally got rid of the legacy npm-registry-client in favor of the shiny, new, window.fetch-like npm-registry-fetch.

Now, the installer had already done most of this work with the release of npm@5, but it turns out every other command still used the legacy client. This release updates all of those commands to use the new client, and while we're at it, adds a few extra goodies:

• All OTP-requiring commands will now prompt. --otp is no longer required for dist-tag, access, et al.
• We're starting to integrate a new config system which will eventually get extracted into a standalone package.
• We now use libnpm for the API functionality of a lot of our commands! That means you can install a library if you want to write your own tooling around them.
• There's now an npm org command for managing users in your org.
• pacote now consumes npm-style configurations, instead of its own naming for various config vars. This will make it easier to load npm configs using libnpm.config and hand them directly to pacote.

There's too many commits to list all of them here, so check out the PR if you're curious about details:

• c5af34c05 npm-registry-client@REMOVED (@zkat)
• 4cca9cb90 ad67461dc 77625f9e2 6e922aefb 584613ea8 64de4ebf0 6cd87d1a9 2786834c0 514558e09 dec07ebe3 084741913 45aff0e02 846ddcc44 8971ba1b9 99156e081 ab2155306 b37a66542 d2af0777a e0b4c6880 ff72350b4 6ed943303 90a069e7d b24ed5fdc ec9fcc14f 8a56fa39e 41d19e18f 125ff9551 1c3b226ff 3c0a7b06b 08fcb3f0f c8135d97a ae936f22c #2 Move rest of commands to npm-registry-fetch and use figgy-pudding for configs. (@zkat)

NEW FEATURES

• 02c837e01 #106 Make npm dist-tags the same as npm dist-tag ls. (@isaacs)
• 1065a7809 #65 Add support for IBM i. (@dmabupt)

BUGFIXES

• 890a74458 npm.community#3278 Fix support for passing git binary path config with --git. (@larsgw)
• 90e55a143 npm.community#2713 Check for npm.config's existence in error-handler.js to prevent weird errors when failures happen before config object is loaded. (@BeniCheni)

DOCS

• 31a7274b7 #71 Fix typo in npm-token documentation. (@GeorgeTaveras1231)

DEPENDENCIES

• 9cefcdc1d [email protected] (@zkat)
• 1c769c9b3 [email protected] (@zkat)
• f3bc5539b [email protected] (@zkat)
• bf7199d3c [email protected] (@zkat)
• 118c50496 [email protected] (@isaacs)
• eab4df925 [email protected] (@zkat)
• b86e51573 [email protected] (@zkat)
• 56fffbff2 [email protected] (@zkat)
• df972e948 npm-profile@REMOVED (@zkat)
• 32c73bf0e [email protected] (@zkat)
• 569491b80 [email protected] (@zkat)
• a3ba0ccf1 move rimraf to prod deps (@zkat)

v6.5.0

NEW FEATURES

• fc1a8d185 Backronym npm ci to npm clean-install. (@zkat)
• 4be51a9cc #81 Adds 'Homepage' to outdated --long output. (@jbottigliero)

BUGFIXES

• 89652cb9b npm.community#1661 Fix sign-git-commit options. They were previously totally wrong. (@zkat)
• 414f2d1a1 npm.community#1742 Set lowercase headers for npm audit requests. (@maartenba)
• a34246baf #75 Fix npm edit handling of scoped packages.
  (@larsgw)* d3e8a7c72 npm.community#2303 Make summary output for npm ci go to stdout, not stderr. (@alopezsanchez)
• 71d8fb4a9 npm.community#1377 Close the file descriptor during publish if exiting upload via an error. This will prevent strange error messages when the upload fails and make sure
  cleanup happens correctly. (@macdja38)

DOCS UPDATES

• b1a8729c8 #60 Mention --otp flag when prompting for OTP. (@bakkot)
• bcae4ea81 #64 Clarify that git dependencies use the default branch, not just master. (@zckrs)
• 15da82690 #72 bash_completion.d dir is sometimes found in /etc not /usr/local. (@RobertKielty)
• 8a6ecc793 #74 Update OTP documentation for dist-tag add to clarify --otp is needed right now. (@scotttrinh)
• dcc03ec85 #82 Note that prepare runs when installing git dependencies. (@seishun)
• a91a470b7 #83 Specify that --dry-run isn't available in older versions of npm publish. (@kjin)
• 1b2fabcce #96 Fix inline code tag issue in docs. (@midare)
• 6cc70cc19 #68 Add semver link and a note on empty string format to deprecate doc. (@neverett)
• 61dbbb7c3 Fix semver docs after version update. (@zkat)
• 4acd45a3d #78 Correct spelling across various docs. (@hugovk)

DEPENDENCIES

• 4f761283e [email protected] (@zkat)
• 3706db0bc npm.community#1764 [email protected] (@zkat)
• 83c2b117d [email protected] (@petkaantonov)
• 2702f46bd [email protected] (@watson)
• 4db6c3898 [email protected]:2 (@dawsbot)
• 70bee4f69 [email protected] (@isaacs)
• e469fd6be
[email protected]: Fix browser opening under Windows Subsystem for Linux (WSL). (@thijsputman)
• 03840dced
[email protected] (@iarna)
• 161dc0b41 [email protected] (@petkaantonov)
• bb6f94395 [email protected]:5 (@isaacs)
• 43b1f4c91 [email protected] (@isaacs)
• ab62afcc4 [email protected]:2 (@isaacs)
• 027f06be3 [email protected] (@watson)

MISCELLANEOUS

• 27217dae8 #70 Automatically audit dependency licenses for npm itself. (@kemitchell)

v6.5.0-next.0

This release became [email protected].

v6.4.1

BUGFIXES

• 4bd40f543 #42 Prevent blowing up on malformed responses from the npm audit endpoint, such as with third-party registries. (@framp)
• 0e576f0aa #46 Fix NO_PROXY support by renaming npm-side config to --noproxy. The environment variable should still work. (@SneakyFish5)
• d8e811d6a #33 Disable update-notifier checks when a CI environment is detected. (@Sibiraj-S)
• 1bc5b8cea #47 Fix issue where postpack scripts would break if pack was used with --dry-run. (@larsgw)

DEPENDENCY BUMPS

• 4c57316d5 [email protected] (@zkat)
• 85f4d7905 [email protected] (@zkat)
• d20ac242a [email protected]: No real changes in npm-packlist, but npm-bundled included a circular dependency fix, as well as adding a proper LICENSE file. (@isaacs)
• e8d5f4418 npm.community#632 [email protected]: Fixes issue where npm ci wasn't running the prepare lifecycle script when installing git dependencies (@edahlseng)
• a5e6f78e9 [email protected]: Fixes memory leak problem when streaming large files (like legacy npm search). (@daern91)
• 3b940331d npm.community#1042 [email protected]: Fixes issue for Windows user where multiple Path/PATH variables were being added to the environment and breaking things in all sorts of fun and interesting ways. (@JimiC)
• d612d2ce8 [email protected] (@iarna)
• 1f6ba1cb1 [email protected] (@domenic)
• 37b8f405f [email protected] (@mikeal)
• bb91a2a14 [email protected] (@iarna)
• 30bc9900a [email protected]: Adds support for two more CI services (@watson)
• 1d2fa4ddd [email protected] (@joshbruce)

DOCUMENTATION

• 08ecde292 #54 Mention registry terms of use in manpage and registry docs and update language in README for it. (@kemitchell)
• de956405d #41 Add documentation for --dry-run in install and pack docs. (@reconbot)
• 95031b90c #48 Update republish time and lightly reorganize republish info. (@neverett)
• 767699b68 #53 Correct [email protected] release date in changelog. (@charmander)
• 3fea3166e #55 Align command descriptions in help text. (@erik)

v6.4.1-next.0

This release became [email protected].

v6.4.0

NEW FEATURES

• 6e9f04b0b npm/cli#8 Search for authentication token defined by environment variables by preventing the translation layer from env variable to npm option from breaking :_authToken. (@mkhl)
• 84bfd23e7 npm/cli#35 Stop filtering out non-IPv4 addresses from local-addrs, making npm actually use IPv6 addresses when it must. (@valentin2105)
• 792c8c709 npm/cli#31 configurable audit level for non-zero exit npm audit currently exits with exit code 1 if any vulnerabilities are found of any level. Add a flag of --audit-level to npm audit to allow it to pass if only vulnerabilities below a certain level are found. Example: npm audit --audit-level=high will exit with 0 if only low or moderate level vulns are detected. (@lennym)

BUGFIXES

• d81146181 npm/cli#32 Don't check for updates to npm when we are updating npm itself. (@olore)

DEPENDENCY UPDATES

A very special dependency update event! Since the release of [email protected], an awkward version conflict that was preventing request from begin flattened was resolved. This means two things:

1. We've cut down the npm tarball size by another 200kb, to 4.6MB
2. npm audit now shows no vulnerabilities for npm itself!

Thanks, @rvagg!

• 866d776c2 [email protected] (@simov)
• f861c2b57 [email protected] (@rvagg)
• 32e6947c6 npm/cli#39 [email protected]: REVERT REVERT, newer versions of this library are broken and print ansi codes even when disabled. (@iarna)
• beb96b92c [email protected] (@zkat)
• 348fc91ad [email protected]: Fixes errors with empty or string-only license fields. (@Gudahtt)
• e57d34575 [email protected] (@shesek)
• 46f1c6ad4 [email protected] (@isaacs)
• 50df1bf69 [email protected] (@iarna)
  (@Erveon) (@huochunpeng)

DOCUMENTATION

• af98e76ed npm/cli#34 Remove npm publish from list of commands not affected by --dry-run. (@joebowbeer)
• e2b0f0921 npm/cli#36 Tweak formatting in repository field examples. (@noahbenham)
• e2346e770 npm/cli#14 Used process.env examples to make accessing certain npm run-scripts environment variables more clear. (@mwarger)

v6.4.0-next.0

This release became [email protected].

v6.3.0

This is basically the same as the prerelease, but two dependencies have been bumped due to bugs that had been around for a while.

• 0a22be42e [email protected] (@zkat)
• 0096f6997 [email protected] (@zkat)