Wednesday, 23 August, 2017 UTC
Summary
Here’s another small big release, with a handful bunch of fixes and a couple of small new features! This release has been incubating rather longer than usual and it’s grown quite a bit in that time. I’m also excited to say that it has contributions from 27 different folks, which is a new record for us. Our previous record was 5.1.0 at 21. Before that the record had been held by 1.3.16 since December of 2013.
If you can’t get enough of the bleeding edge, I encourage you to check out our canary release of npm. Get it with
npm install -g npmc. It’s going to be seeing some exciting stuff in the next couple of weeks, starting with a rewriten npm dedupe, but moving on to… well, you’ll just have to wait and find out.PERFORMANCE
d080379f6[email protected]Updates extract to use tar@4, which is much faster than the older tar@2. It reduces install times by as much as 10%. (@zkat)4cd6a17740195c0a8c#16804[email protected]Update publish to use tar@4. tar@4 brings many advantages over tar@2: It’s faster, better tested and easier to work with. It also produces exactly the same byte-for-byte output when producing tarballs from the same set of files. This will have some nice carry on effects for things like caching builds from git. And finally, last but certainly not least, upgrading to it also let’s us finally eliminatefstream—if you know what that is you’ll know why we’re so relieved. (@isaacs)
FEATURES
1ac470dd2#10382 If you make a typo when writing a command now, npm will print a brief “did you mean…” message with some possible alternatives to what you meant. (@watilde)20c46228d#12356 When running lifecycle scripts,INIT_CWDwill now contain the original working directory that npm was executed from. Remember that you can usenpm run-scripteven if you’re not inside your package root directory! (@MichaelQQ)be91e17264e7c41f4a[email protected]: Fixes a number of issues on Windows and adds support for several more languages: Korean, Norwegian (bokmål and nynorsk), Ukrainian, Serbian, Bahasa Indonesia, Polish, Dutch and Arabic. (@zkat)2dec601c6#17142 Add the newcommit-hooksoption tonpm versionso that you can disable commit hooks when committing the version bump. (@faazshift)bde151902#14461 Make output fromnpm pingclear as to its success or failure. (@legodude17)
BUGFIXES
b6d5549d2#17844 Make package-lock.json sorting locale-agnostic. Previously, sorting would vary by locale, due to usinglocaleComparefor key sorting. This’ll give you a little package-lock.json churn as it reshuffles things, sorry! (@LotharSee)44b98b9dd#17919 Fix a crash wherenpm prune --productionwould fail while removing.bin. (@fasterthanlime)c3d1d3ba8#17816 Fail more smoothly when attempting to install an invalid package name. (@SamuelMarks)55ac2fca8#12784 Guard against stack overflows when marking packages as failed. (@vtravieso)597cc0e4b#15087 Stop outputting progressbars or using color on dumb terminals. (@iarna)7a7710ba7#15088 Don’t exclude modules that are both dev & prod when usingnpm ls --production. (@iarna)867df2b02#18164 Only do multiple procs on OSX for now. We’ve seen a handful of issues relating to this in Docker and in on Windows with antivirus. (@zkat)23540af7b#18117 Some package managers would write spaces to the _from field in package.json’s in the form ofname @spec. This was causing npm to fail to interpret them. We now handle that correctly and doubly make sure we don’t do that ourselves. (@IgorNadj)0ef320cb4#16634 Convert any bin script with a shbang a the start to Unix line-endings. (These sorts of scripts are not compatible with Windows line-endings even on Windows.) (@ScottFreeCode)71191ca22#16476[email protected]Running an install with--ignore-scriptswas resulting in the the package object being mutated to have the lifecycle scripts removed from it and that in turn was being written out to disk, causing further problems. This fixes that: No more mutation, no more unexpected changes. (@addaleax)459fa9d51npm/read-package-json#74 #17802[email protected]Use unix-style slashes for generated bin entries, which lets them be cross platform even when produced on Windows. (@iarna)5ec72ab5b#18229 Make install.sh find nodejs on debian. (@cebe)
DOCUMENTATION
b019680db#10846 Remind users that they have to install missingpeerDependenciesmanually. (@ryanflorence)3aee5986a#17898 Minor punctuation fixes to the README. (@AndersDJohnson)e0d0a7e1d#17832 Fix grammar, format, and spelling in documentation forrun-script. (@simonua)3fd6a5f2f#17897 Add more info about usingfileswithnpm pack/npm publish. (@davidjgoss)f00cdc6eb#17785 Add a note about filenames for certificates on Windows, which use a different extension and file type. (@lgp1985)0cea6f974#18022 Clarify usage for thefilesfield inpackage.json. (@xcambar)a0fdd1571#15234 Clarify the behavior of thefilesarray in the package-json docs. (@jbcpollak)cecd6aa5d#18137 Clarify interaction between npmignore and files in package.json. (@supertong)6b8972039#18044 Corrected the typo in package-locks docs. (@vikramnr)6e012924f#17667 Fix description of package.json in npm-scripts docs. (@tripu)
POSSIBLY INTERESTING DEPENDENCY UPDATES
48d84171af60b05d63[email protected]Perf improvements. (@zkat)f4650b5d4[email protected]: Serialize writes to the same file so that results are deterministic. Cleanup tempfiles when process is interrupted or killed. (@ferm10n) (@iarna)
CHORES
96d78df9880e2f49604f49f687b07d2296b1a267ab430#18176 #18025 Move the lifecycle code out of npm into a separate library,npm-lifecycle. Shh, I didn’t tell you this, but this portends to some pretty cool stuff to come very soon now. (@mikesherov)0933c7eaf#18025 Force Travis to use Precise instead of Trusty. We have issues with our couchdb setup and Trusty. =/ (@mikesherov)afb086230#18138 Fix typos in files-and-ignores test. (@supertong)3e6d11cde#18175 Update dependencies to eliminate transitive dependencies with the WTFPL license, which some more serious corporate lawyery types aren’t super comfortable with. (@zkat)ee4c9bd8a#16474 The tests intest/tap/lifecycle-signal.js, as well as the features they are testing, are partially broken. This moves them from being skipped in CI to being disabled only for certain platforms. In particular, becausenpmspawns its lifecycle scripts in a shell, signals are not necessarily forwarded by the shell and won’t cause scripts to exit; also, shells may report the signal they receive using their exit status, rather than terminating themselves with a signal. (@addaleax)9462e5d9c#16547 Remove unused file: bin/read-package-json.js (@metux)0756d687d#16550 The build tools for the documentation need to be built/installed before the documents, even with parallel builds. Make has a simple mechanism which was made exactly for that: target dependencies. (@metux)