Wednesday, 23 August, 2017 UTC


Here’s another small big release, with a handful bunch of fixes and a couple of small new features! This release has been incubating rather longer than usual and it’s grown quite a bit in that time. I’m also excited to say that it has contributions from 27 different folks, which is a new record for us. Our previous record was 5.1.0 at 21. Before that the record had been held by 1.3.16 since December of 2013.
If you can’t get enough of the bleeding edge, I encourage you to check out our canary release of npm. Get it with npm install -g npmc. It’s going to be seeing some exciting stuff in the next couple of weeks, starting with a rewriten npm dedupe, but moving on to… well, you’ll just have to wait and find out.


  • d080379f6 [email protected] Updates extract to use [email protected], which is much faster than the older [email protected] It reduces install times by as much as 10%. (@zkat)
  • 4cd6a1774 0195c0a8c #16804 [email protected] Update publish to use [email protected] [email protected] brings many advantages over [email protected]: It’s faster, better tested and easier to work with. It also produces exactly the same byte-for-byte output when producing tarballs from the same set of files. This will have some nice carry on effects for things like caching builds from git. And finally, last but certainly not least, upgrading to it also let’s us finally eliminate fstream—if you know what that is you’ll know why we’re so relieved. (@isaacs)


  • 1ac470dd2 #10382 If you make a typo when writing a command now, npm will print a brief “did you mean…” message with some possible alternatives to what you meant. (@watilde)
  • 20c46228d #12356 When running lifecycle scripts, INIT_CWD will now contain the original working directory that npm was executed from. Remember that you can use npm run-script even if you’re not inside your package root directory! (@MichaelQQ)
  • be91e1726 4e7c41f4a [email protected]: Fixes a number of issues on Windows and adds support for several more languages: Korean, Norwegian (bokmål and nynorsk), Ukrainian, Serbian, Bahasa Indonesia, Polish, Dutch and Arabic. (@zkat)
  • 2dec601c6 #17142 Add the new commit-hooks option to npm version so that you can disable commit hooks when committing the version bump. (@faazshift)
  • bde151902 #14461 Make output from npm ping clear as to its success or failure. (@legodude17)


  • b6d5549d2 #17844 Make package-lock.json sorting locale-agnostic. Previously, sorting would vary by locale, due to using localeCompare for key sorting. This’ll give you a little package-lock.json churn as it reshuffles things, sorry! (@LotharSee)
  • 44b98b9dd #17919 Fix a crash where npm prune --production would fail while removing .bin. (@fasterthanlime)
  • c3d1d3ba8 #17816 Fail more smoothly when attempting to install an invalid package name. (@SamuelMarks)
  • 55ac2fca8 #12784 Guard against stack overflows when marking packages as failed. (@vtravieso)
  • 597cc0e4b #15087 Stop outputting progressbars or using color on dumb terminals. (@iarna)
  • 7a7710ba7 #15088 Don’t exclude modules that are both dev & prod when using npm ls --production. (@iarna)
  • 867df2b02 #18164 Only do multiple procs on OSX for now. We’ve seen a handful of issues relating to this in Docker and in on Windows with antivirus. (@zkat)
  • 23540af7b #18117 Some package managers would write spaces to the _from field in package.json’s in the form of name @spec. This was causing npm to fail to interpret them. We now handle that correctly and doubly make sure we don’t do that ourselves. (@IgorNadj)
  • 0ef320cb4 #16634 Convert any bin script with a shbang a the start to Unix line-endings. (These sorts of scripts are not compatible with Windows line-endings even on Windows.) (@ScottFreeCode)
  • 71191ca22 #16476 [email protected] Running an install with --ignore-scripts was resulting in the the package object being mutated to have the lifecycle scripts removed from it and that in turn was being written out to disk, causing further problems. This fixes that: No more mutation, no more unexpected changes. (@addaleax)
  • 459fa9d51 npm/read-package-json#74 #17802 [email protected] Use unix-style slashes for generated bin entries, which lets them be cross platform even when produced on Windows. (@iarna)
  • 5ec72ab5b #18229 Make find nodejs on debian. (@cebe)


  • b019680db #10846 Remind users that they have to install missing peerDependencies manually. (@ryanflorence)
  • 3aee5986a #17898 Minor punctuation fixes to the README. (@AndersDJohnson)
  • e0d0a7e1d #17832 Fix grammar, format, and spelling in documentation for run-script. (@simonua)
  • 3fd6a5f2f #17897 Add more info about using files with npm pack/npm publish. (@davidjgoss)
  • f00cdc6eb #17785 Add a note about filenames for certificates on Windows, which use a different extension and file type. (@lgp1985)
  • 0cea6f974 #18022 Clarify usage for the files field in package.json. (@xcambar)
  • a0fdd1571 #15234 Clarify the behavior of the files array in the package-json docs. (@jbcpollak)
  • cecd6aa5d #18137 Clarify interaction between npmignore and files in package.json. (@supertong)
  • 6b8972039 #18044 Corrected the typo in package-locks docs. (@vikramnr)
  • 6e012924f #17667 Fix description of package.json in npm-scripts docs. (@tripu)


  • 48d84171a f60b05d63 [email protected] Perf improvements. (@zkat)
  • f4650b5d4 [email protected]: Serialize writes to the same file so that results are deterministic. Cleanup tempfiles when process is interrupted or killed. (@ferm10n) (@iarna)


  • 96d78df98 80e2f4960 4f49f687b 07d2296b1 a267ab430 #18176 #18025 Move the lifecycle code out of npm into a separate library, npm-lifecycle. Shh, I didn’t tell you this, but this portends to some pretty cool stuff to come very soon now. (@mikesherov)
  • 0933c7eaf #18025 Force Travis to use Precise instead of Trusty. We have issues with our couchdb setup and Trusty. =/ (@mikesherov)
  • afb086230 #18138 Fix typos in files-and-ignores test. (@supertong)
  • 3e6d11cde #18175 Update dependencies to eliminate transitive dependencies with the WTFPL license, which some more serious corporate lawyery types aren’t super comfortable with. (@zkat)
  • ee4c9bd8a #16474 The tests in test/tap/lifecycle-signal.js, as well as the features they are testing, are partially broken. This moves them from being skipped in CI to being disabled only for certain platforms. In particular, because npm spawns its lifecycle scripts in a shell, signals are not necessarily forwarded by the shell and won’t cause scripts to exit; also, shells may report the signal they receive using their exit status, rather than terminating themselves with a signal. (@addaleax)
  • 9462e5d9c #16547 Remove unused file: bin/read-package-json.js (@metux)
  • 0756d687d #16550 The build tools for the documentation need to be built/installed before the documents, even with parallel builds. Make has a simple mechanism which was made exactly for that: target dependencies. (@metux)