Friday, 18 May, 2018 UTC


Look at that! A feature bump! [email protected] was super-exciting not just because it used a bigger number than ever before, but also because it included a super shiny new command: npm audit. Well, we’ve kept working on it since then and have some really nice improvements for it. You can expect more of them, and the occasional fix, in the next few releases as more users start playing with it and we get more feedback about what y'all would like to see from something like this.
I, for one, have started running it (and the new subcommand…) in all my projects, and it’s one of those things that I don’t know how I ever functioned without it! This will make a world of difference to so many people as far as making the npm ecosystem a higher-quality, safer commons for all of us.
This is also a good time to remind y'all that we have a new RFCs repository, along with a new process for them. This repo is open to anyone’s RFCs, and has already received some great ideas about where we can take the CLI (and, to a certain extent, the registry). It’s a great place to get feedback, and completely replaces feature requests in the main repo, so we won’t be accepting feature requests there at all anymore. Check it out if you have something you’d like to suggest, or if you want to keep track of what the future might look like!

NEW FEATURE: npm audit fix

This is the biggie with this release! npm audit fix does exactly what it says on the tin. It takes all the actionable reports from your npm audit and runs the installs automatically for you, so you don’t have to try to do all that mechanical work yourself!
Note that by default, npm audit fix will stick to semver-compatible changes, so you should be able to safely run it on most projects and carry on with your day without having to track down what breaking changes were included. If you want your (toplevel) dependencies to accept semver-major bumps as well, you can use npm audit fix --force and it’ll toss those in, as well. Since it’s running the npm installer under the hood, it also supports --production and --only=dev flags, as well as things like --dry-run, --json, and --package-lock-only, if you want more control over what it does.
Give it a whirl and tell us what you think! See npm help audit for full docs!
  • 3800a660d Add npm audit fix subcommand to automatically fix detected vulnerabilities. (@zkat)


  • 1854b1c7f #20568 Add support for npm audit --json to print the report in JSON format. (@finnp)
  • 85b86169d #20570 Include number of audited packages in npm install summary output. (@zkat)
  • 957cbe275 [email protected]: Overhaul audit install and detail output format. The new format is terser and fits more closely into the visual style of the CLI, while still providing you with the important bits of information you need. They also include a bit more detail on the footer about what actions you can take! (@zkat)

NEW FEATURE: GIT DEPS AND npm init <pkg>!

Another exciting change that came with [email protected] was the new npm init command that allows for community-authored generators. That means you can, for example, do npm init react-app and it’ll one-off download, install, and run create-react-app for you, without requiring or keeping around any global installs. That is, it basically just calls out to npx.
The first version of this command only really supported registry dependencies, but now, @jdalton went ahead and extended this feature so you can use hosted git dependencies, and their shorthands.
So go ahead and do npm init facebook/create-react-app and it’ll grab the package from the github repo now! Or you can use it with a private github repository to maintain your organizational scaffolding tools or whatnot. ✨
  • 483e01180 #20403 Add support for hosted git packages to npm init <name>. (@jdalton)


  • a41c0393c #20538 Make the new npm view work when the license field is an object instead of a string. (@zkat)
  • eb7522073 #20582 Add support for environments (like Docker) where the expected binary for opening external URLs is not available. (@bcoe)
  • 212266529 #20536 Fix a spurious colon in the new update notifier message and add support for the npm canary. (@zkat)
  • 5ee1384d0 #20597 Infer a version range when a package.json has a dist-tag instead of a version range in one of its dependency specs. Previously, this would cause dependencies to be flagged as invalid. (@zkat)
  • 4fa68ae41 #20585 Make sure scoped bundled deps are shown in the new publish preview, too. (@zkat)
  • 1f3ee6b7e [email protected]: Stop dropping size from metadata on npm cache verify. (@jfmartinez)
  • 91ef93691 #20513 Fix nested command aliases. (@mmermerkaya)
  • 18b2b3cf7 [email protected]: Make sure different versions of the Path env var on Windows all get node_modules/.bin prepended when running lifecycle scripts. (@laggingreflex)


  • a91d87072 #20550 Update required node versions in README. (@legodude17)
  • bf3cfa7b8 Pull in changelogs from the last [email protected] release. (@iarna)
  • b2f14b14c #20629 Make tone in publishConfig docs more neutral. (@jeremyckahn)