Hey y'all! Here’s another npm@6
release – with node@10
around the corner, this might well be the last prerelease before we tag 6.0.0
! There’s two major features included with this release, along with a few miscellaneous fixes and changes.
EXTENDED npm init
SCAFFOLDING
Thanks to the wonderful efforts of @jdalton of lodash fame, npm init
can now be used to invoke custom scaffolding tools!
You can now do things like npm init react-app
or npm init esm
to scaffold an npm package by running create-react-app
and create-esm
, respectively. This also adds an npm create
alias, to correspond to Yarn’s yarn create
feature, which inspired this.
008a83642
ed81d1426
833046e45
#20303 Add an npm init
feature that calls out to npx
when invoked with positional arguments. (@jdalton)
DEPENDENCY AUDITING
This version of npm adds a new command, npm audit
, which will run a security audit of your project’s dependency tree and notify you about any actions you may need to take.
The registry-side services required for this command to work will be available on the main npm registry in the coming weeks. Until then, you won’t get much out of trying to use this on the CLI.
As part of this change, the npm CLI now sends scrubbed and cryptographically anonymized metadata about your dependency tree to your configured registry, to allow notifying you about the existence of critical security flaws. For details about how the CLI protects your privacy when it shares this metadata, see npm help audit
, or read the docs for npm audit
online. You can disable this altogether by doing npm config set audit false
, but will no longer benefit from the service.
f4bc648ea
#20389 [email protected]
(@iarna) 594d16987
#20389 [email protected]
(@iarna) 8c77dde74
1d8ac2492
552ff6d64
09c734803
#20389 Add new npm audit
command. (@iarna) be393a290
#20389 Temporarily suppress git metadata till there’s an opt-in. (@iarna) 8e713344f
#20389 Document the new command. (@iarna)
MORE package-lock.json
FORMAT CHANGES?!
820f74ae2
#20384 Add from
field back into package-lock for git dependencies. This will give npm the information it needs to figure out whether git deps are valid, specially when running with legacy install metadata or in --package-lock-only
mode when there’s no node_modules
. This should help remove a significant amount of git-related churn on the lock-file. (@zkat)
BUGFIXES
9d5d0a18a
#20358 npm install-test
(aka npm it
) will no longer generate package-lock.json
when running with --no-package-lock
or package-lock=false
. (@raymondfeng) e4ed976e2
2facb35fb
9c1eb945b
#20390 Fix a scenario where a git dependency had a comittish associated with it that was not a complete commitid. npm
would never consider that entry in the package.json
as matching the entry in the package-lock.json
and this resulted in inappropriate pruning or reinstallation of git dependencies. This has been addressed in two ways, first, the addition of the from
field as described in #20384 means we can exactly match the package.json
. Second, when that’s missing (when working with older package-lock.json
files), we assume that the match is ok. (If it’s not, we’ll fix it up when a real installation is done.) (@iarna)
DEPENDENCIES
DOCS
a1c77d614
#20331 Fix broken link to ‘private-modules’ page. The redirect went away when the new npm website went up, but the new URL is better anyway. (@vipranarayan14) ad7a5962d
#20279 Document the --if-present
option for npm run-script
. (@aleclarson)