Thursday, 22 February, 2018 UTC


Hey y'all, it’s been a while. Expect our release rate to increase back to normal here, as we’ve got a lot in the pipeline. Right now we’ve got a bunch of things from folks at npm. In the next release we’ll be focusing on user contributions and there are a lot of them queued up!
This release brings a bunch of exciting new features and bug fixes.


Allow npm install to fix package-lock.json and npm-shrinkwrap.json files that have merge conflicts in them without your having to edit them. It works in conjunction with npm-merge-driver to entirely eliminate package-lock merge conflicts.
  • e27674c22 Automatically resolve merge conflicts in lock-files. (@zkat)


The new npm ci command installs from your lock-file ONLY. If your package.json and your lock-file are out of sync then it will report an error.
It works by throwing away your node_modules and recreating it from scratch.
Beyond guaranteeing you that you’ll only get what is in your lock-file it’s also much faster (2x-10x!) than npm install when you don’t start with a node_modules.
As you may take from the name, we expect it to be a big boon to continuous integration environments. We also expect that folks who do production deploys from git tags will see major gains.
  • 5e4de9c99 Add new npm ci installer. (@zkat)


  • 4d418c21b #19817 Include contributor count in installation summary. (@kemitchell)
  • 17079c2a8 Require password to change email through npm profile. (@iarna)
  • e7c5d226a 4f5327c05 #19780 Add support for web-based logins. This is not yet available on the registry, however. (@isaacs)


  • 827951590 Handle running npm install package-name with a node_modules containing packages without sufficient metadata to verify their origin. The only way to get install packages like this is to use a non-npm package manager. Previously npm removed any packages that it couldn’t verify. Now it will leave them untouched as long as you’re not asking for a full install. On a full install they will be reinstalled (but the same versions will be maintained).
    This will fix problems for folks who are using a third party package manager to install packages that have postinstall scripts that run npm install. (@iarna)
  • 3b305ee71 Only auto-prune on installs that will create a lock-file. This restores [email protected] compatible behavior when the lock-file is disabled. When using a lock-file npm will continue to remove anything in your node_modules that’s not in your lock-file. (@iarna)
  • cec5be542 Fix bug where npm prune --production would remove dev deps from the lock file. It will now only remove them from node_modules not from your lock file. (@iarna)
  • 857dab03f Fix bug where git dependencies would be removed or reinstalled when installing other dependencies. (@iarna)


  • a66e0cd03 For CIDR filtered tokens, allow comma separated CIDR ranges, as documented. Previously you could only pass in multiple cidr ranges with multiple --cidr command line options. (@iarna)
  • d259ab014 Fix token revocation when an OTP is required. Previously you had to pass it in via --otp. Now it will prompt you for an OTP like other npm token commands. (@iarna)
  • f8b1f6aec Update token and profile commands to support legacy (username/password) authentication. (The npm registry uses tokens, not username/password pairs, to authenticate commands.) (@iarna)


  • 6954dfc19 Fix a bug where packages would get pushed deeper into the tree when upgrading without an existing copy on disk. Having packages deeper in the tree ordinarily is harmless but is not when peerDependencies are in play. (@iarna)
  • 1ca916a1e Fix bug where when switching from a linked module to a non-linked module, the dependencies of the module wouldn’t be installed on the first run of npm install. (@iarna)
  • 8c120ebb2 Fix integrity matching to eliminate spurious EINTEGRITY errors. (@zkat)
  • 94227e15e More consistently make directories using perm and ownership preserving features. (@iarna)