Hey y'all, it’s been a while. Expect our release rate to increase back to normal here, as we’ve got a lot in the pipeline. Right now we’ve got a bunch of things from folks at npm. In the next release we’ll be focusing on user contributions and there are a lot of them queued up!
This release brings a bunch of exciting new features and bug fixes.
PACKAGE-LOCK GIT MERGE CONFLICT RESOLUTION
Allow npm install
to fix package-lock.json
and npm-shrinkwrap.json
files that have merge conflicts in them without your having to edit them. It works in conjunction with npm-merge-driver
to entirely eliminate package-lock merge conflicts.
e27674c22
Automatically resolve merge conflicts in lock-files. (@zkat)
NPM CI
The new npm ci
command installs from your lock-file ONLY. If your package.json
and your lock-file are out of sync then it will report an error.
It works by throwing away your node_modules
and recreating it from scratch.
Beyond guaranteeing you that you’ll only get what is in your lock-file it’s also much faster (2x-10x!) than npm install
when you don’t start with a node_modules
.
As you may take from the name, we expect it to be a big boon to continuous integration environments. We also expect that folks who do production deploys from git tags will see major gains.
5e4de9c99
Add new npm ci
installer. (@zkat)
OTHER NEW FEATURES
4d418c21b
#19817 Include contributor count in installation summary. (@kemitchell) 17079c2a8
Require password to change email through npm profile
. (@iarna) e7c5d226a
4f5327c05
#19780 Add support for web-based logins. This is not yet available on the registry, however. (@isaacs)
BIG FIXES TO PRUNING
827951590
Handle running npm install package-name
with a node_modules
containing packages without sufficient metadata to verify their origin. The only way to get install packages like this is to use a non-npm
package manager. Previously npm
removed any packages that it couldn’t verify. Now it will leave them untouched as long as you’re not asking for a full install. On a full install they will be reinstalled (but the same versions will be maintained).
This will fix problems for folks who are using a third party package manager to install packages that have postinstall
scripts that run npm install
. (@iarna)
3b305ee71
Only auto-prune on installs that will create a lock-file. This restores npm@4
compatible behavior when the lock-file is disabled. When using a lock-file npm
will continue to remove anything in your node_modules
that’s not in your lock-file. (@iarna) cec5be542
Fix bug where npm prune --production
would remove dev deps from the lock file. It will now only remove them from node_modules
not from your lock file. (@iarna) 857dab03f
Fix bug where git dependencies would be removed or reinstalled when installing other dependencies. (@iarna)
BUG FIXES TO TOKENS AND PROFILES
a66e0cd03
For CIDR filtered tokens, allow comma separated CIDR ranges, as documented. Previously you could only pass in multiple cidr ranges with multiple --cidr
command line options. (@iarna) d259ab014
Fix token revocation when an OTP is required. Previously you had to pass it in via --otp
. Now it will prompt you for an OTP like other npm token
commands. (@iarna) f8b1f6aec
Update token and profile commands to support legacy (username/password) authentication. (The npm registry uses tokens, not username/password pairs, to authenticate commands.) (@iarna)
OTHER BUG FIXES
6954dfc19
Fix a bug where packages would get pushed deeper into the tree when upgrading without an existing copy on disk. Having packages deeper in the tree ordinarily is harmless but is not when peerDependencies are in play. (@iarna) 1ca916a1e
Fix bug where when switching from a linked module to a non-linked module, the dependencies of the module wouldn’t be installed on the first run of npm install
. (@iarna) 8c120ebb2
Fix integrity matching to eliminate spurious EINTEGRITY errors. (@zkat) 94227e15e
More consistently make directories using perm and ownership preserving features. (@iarna)
DEPENDENCY UPDATES