Friday, 4 May, 2018 UTC


Summary

CTRL-C OUT DURING PACKAGE EXTRACTION AS MUCH AS YOU WANT!

  • b267bbbb9 npm/lockfile#29 [email protected]: Switches to signal-exit to detect abnormal exits and remove locks. (@Redsandro)

SHRONKWRAPS AND LACKFILES

If a published modules had legacy npm-shrinkwrap.json we were saving ordinary registry dependencies ([email protected]) to your package-lock.json as https:// URLs instead of versions.
  • 89102c0d9 When saving the lock-file compute how the dependency is being required instead of using _resolved in the package.json. This fixes the bug that was converting registry dependencies into https:// dependencies. (@iarna)
  • 676f1239a When encountering a https:// URL in our lockfiles that point at our default registry, extract the version and use them as registry dependencies. This lets us heal package-lock.json files produced by 6.0.0 (@iarna)

AUDIT AUDIT EVERYWHERE

You can’t use it quite yet, but we do have a few last moment patches to npm audit to make it even better when it is turned on!
  • b2e4f48f5 Make sure we hide stream errors on background audit submissions. Previously some classes of error could end up being displayed (harmlessly) during installs. (@iarna)
  • 1fe0c7fea Include session and scope in requests (as we do in other requests to the registry). (@iarna)
  • d04656461 Exit with non-zero status when vulnerabilities are found. So you can have npm audit as a test or prepublish step! (@iarna)
  • fcdbcbacc Verify lockfile integrity before running. You’d get an error either way, but this way it’s faster and can give you more concrete instructions on how to fix it. (@iarna)
  • 2ac8edd42 Refuse to run in global mode. Audits require a lockfile and globals don’t have one. Yet. (@iarna)

DOCUMENTATION IMPROVEMENTS

  • b7fca1084 #20407 Update the lock-file spec doc to mention that we now generate the from field for git-type dependencies. (@watilde)
  • 7a6555e61 #20408 Describe what the colors in outdated mean. (@teameh)

DEPENDENCY UPDATES