Wednesday, 18 April, 2018 UTC



  • 32ec2f54b #20257 Add shasum and integrity to the new npm view output. (@zkat)
  • a22153be2 #20126 Add npm cit command that’s equivalent of npm ci && npm t that’s equivalent of npm it. (@SimenB)


  • 089aeaf44 Fix a bug where OTPs passed in via the commandline would have leading zeros deleted resulted in authentication failures. (@iarna)
  • 6eaa860ea Eliminate direct use of new Buffer in npm. While the use of it in npm was safe, there are two other reasons for this change:
    1. Node 10 emits warnings about its use.
    2. Users who require npm as a library (which they definitely should not do) can call the functions that call new Buffer in unsafe ways, if they try really hard.
  • 85900a294 Starting with 5.8.0 the requires section of the lock-file saved version ranges instead of specific versions. Due to a bug, further actions on the same lock-file would result in the range being switched back to a version. This corrects that, keeping ranges when they appear. (@iarna)
  • 0dffa9c2a 609d6f6e1 08f81aa94 f8b76e076 6d609822d 59d080a22 Restore the ability to bundle dependencies that are uninstallable from the registry. This also eliminates needless registry lookups for bundled dependencies.
    Fixed a bug where attempting to install a dependency that is bundled inside another module without reinstalling that module would result in ENOENT errors. (@iarna)
  • db846c2d5 #20029 Allow packages with non-registry specifiers to follow the fast path that the we use with the lock-file for registry specifiers. This will improve install time especially when operating only on the package-lock (--package-lock-only). (@zkat)
    Fixes a bug where npm i --only=prod could remove development dependencies from lock-file. (@iarna)
  • 3e12d2407 #20122 Improve the update-notifier messaging (borrowing ideas from pnpm) and eliminate false positives. (@zkat)
  • f18be9b39 #20154 Let version succeed when package-lock.json is gitignored. (@nwoltman)
  • ced29253d #20212 Ensure that we only create an etc directory if we are actually going to write files to it. (@buddydvd)
  • 8e21b19a8 #20140 Note in documentation that package-lock.json version gets touched by npm version. (@srl295)
  • 5d17c87d8 #20032 Fix bug where unauthenticated errors would get reported as both 404s and 401s, i.e. npm ERR! 404 Registry returned 401. In these cases the error message will now be much more informative. (@iarna)
  • 05ff6c9b1 #20082 Allow optional @ prefix on scope with npm team commands for parity with other commands. (@bcoe)
  • 6bef53891 #19580 Improve messaging when two-factor authentication is required while publishing. (@jdeniau)
  • 155dab2bd Fix a bug where optional status of a dependency was not being saved to the package-lock on the initial install. (@iarna)
  • 8d6a4cafc a0937e9af Ensure that --no-optional does not remove optional dependencies from the lock-file. (@iarna)