Tuesday, 28 November, 2017 UTC



You may have noticed this is a semver-minor bump. Wondering why? This is why!
  • bc263c3fd #19054 Fully cross-platform package-lock.json. Installing a failing optional dependency on one platform no longer removes it from the dependency tree, meaning that package-lock.json should now be generated consistently across platforms! 🎉 (@iarna)
  • f94fcbc50 #19160 Add --package-lock-only config option. This makes it so you can generate a target package-lock.json without performing a full install of node_modules. (@alopezsanchez)
  • 66d18280c #19104 Add new --node-options config to pass through a custom NODE_OPTIONS for lifecycle scripts. (@bmeck)
  • 114d518c7 Ignore mtime when packing tarballs: This means that doing npm pack on the same repository should yield two tarballs with the same checksum. This will also help prevent cache bloat when using git dependencies. In the future, this will allow npm to explicitly cache git dependencies. (@isaacs)

Node 9

Previously, it turns out npm broke on the latest Node, [email protected]. We went ahead and fixed it up so y'all should be able to use the latest npm again!

Bug Fixes

  • b70321733 #18881 When dealing with a node_modules that was created with older versions of npm (and thus older versions of npa) we need to gracefully handle older spec entries. Failing to do so results in us treating those packages as if they were http remote deps, which results in invalid lock files with version set to tarball URLs. This should now be fixed. (@iarna)
  • 2f9c5dd00 #18880 Stop overwriting version in package data on disk. This is another safeguard against the version overwriting that’s plagued some folks upgrading from older package-locks. (@iarna) (@joshclow)
  • a93e0a51d #18846 Correctly save transitive dependencies when using npm update in package-lock.json. (@iarna)
  • fdde7b649 #18825 Fix typo and concatenation in error handling. (@alulsh)
  • be67de7b9 #18711 Upgrade to bearer tokens from legacy auth when enabling 2FA. (@iarna)
  • bfdf0fd39 #19033 Fix issue where files with @ signs in their names would not get included when packing tarballs. (@zkat)
  • b65b89bde #19048 Fix problem where npm login was ignoring various networking-related options, such as custom certs. (@wejendorp)
  • 8c194b86e [email protected]: Include node_modules/ directories not in the root. (@isaacs)
  • d7ef6a20b [email protected]: Fix some *nix binary path escaping issues. (@zkat)
  • 981828466 [email protected]: Fix fallback to copy-concurrently when file move fails. This might fix permissions and such issues on platforms that were getting weird filesystem errors during install. (@karolba)
  • a0be6bafb [email protected]: Includes a bunch of fixes, specially for issues around git dependencies. Shasum-related errors should be way less common now, too. (@zkat)
  • b80d650de #19163 Fix a number of git and tarball specs and checksum errors. (@zkat)
  • cac225025 #19054 Don’t count failed optionals when summarizing installed packages. (@iarna)


  • b1ec2885c #18326 Stop truncating output of npm view. This means, for example, that you no longer need to use --json when a package has a lot of versions, to see the whole list. (@SimenB)
  • 55a124e0a #18884 Profile UX improvements: better messaging on unexpected responses, and stop claiming we set passwords to null when resetting them. (@iarna)
  • 635481c61 #18844 Improve error messaging for OTP/2FA. (@iarna)
  • 52b142ed5 #19054 Stop running the same rollback multiple times. This should address issues where Windows users saw strange failures when fsevents failed to install. (@iarna)
  • 798428b0b #19172 [email protected]: Log the fact line endings are being changed upon install. (@marcosscriven)


Usually, we don’t include internal refactor stuff in our release notes, but it’s worth calling out some of them because they’re part of a larger effort the CLI team and associates are undertaking to modularize npm itself so other package managers and associated tools can reuse all that code!
  • 9d22c96b7 #18500 Extract bin-links and gentle-fs to a separate library. This will allow external tools to do bin linking and certain fs operations in an npm-compatible way! (@mikesherov)
  • 015a7803b #18883 Capture logging from log events on the process global. This allows npm to use npmlog to report logging from external libraries like npm-profile. (@iarna)
  • c930e98ad [email protected]: Use our own node-gyp. This means npm no longer needs to pull some maneuvers to make sure node-gyp is in the right place, and that external packages using npm-lifecycle will get working native builds without having to do their own node-gyp maneuvers. (@zkochan)
  • 876f0c8f3 829893d61 #19099 [email protected]: npm’s prefix-finding logic is now a standalone module. That is, the logic that figures out where the root of your project is if you’ve cd’d into a subdirectory. Did you know you can run npm install from these subdirectories, and it’ll only affect the root? It works like git! (@iarna)


  • 7ae12b21c #18823 Fix spelling of the word authenticator. Because English is hard. (@tmcw)
  • 5dfc3ab7b #18742 Explicitly state ‘github:foo/bar’ as a valid shorthand for hosted git specs. (@felicio)
  • a9dc098a6 #18679 Add some documentation about the script-shell config. (@gszabo)
  • 24d7734d1 #18571 Change verboten to forbidden. (@devmount)
  • a8a45668f #18568 Improve wording for the docs for the “engines” section of package.json files. (@apitman)
  • dbc7e5b60 #19118 Use valid JSON in example for bundledDependencies. (@charmander)
  • 779339485 #19162 Remove trailing white space from npm access docs. (@WispProxy)

Dependency Bumps