npm v7 Series - Arborist Deep Dive

<< Introduction @npmcli/arborist is the dependency tree manager for npm, new in npm v7. It provides facilities for doing nearly everything that npm does with package trees, and fully replaces large parts of the npm CLI codebase. Way back in the ... more

npm v7 Series - Introduction

Quite a lot has happened in npm since our last update way back in 2019. We’re overdue for a status update on npm v7. Despite some massive distracting changes (some unfortunate, some very fortunate), development work has been proceeding steadily. Yesterday, ... more

Release: 6.14.5

Happy Monday! Time for a new npm version 😄 v6.14.5 containing a few bug fixes from the community and dependency updates. To get it: npm install -g npm@latest 6.14.5 (2020-05-04) BUG FIXES 33ec41f18 #758 fix: relativize file links when inflating shrinkwrap ... more

So long, and thanks for all the packages!

On September 29th, 2019, npm turned 10 years old and we all celebrated the incredible story of npm. Today, I’m announcing my departure from npm, and that has me looking back at the last 10 years and my own story. A lot has changed, I got married, bought ... more

Updates to our Privacy Policy

We have recently updated our privacy FAQ. This update includes, amongst others, changes to provide further detail regarding: How npm shares data with service providers The circumstances in which certain data may be available publicly on our platform ... more

Statement on the COVID-19 Crisis

Like everyone else around the globe, we are closely monitoring the COVID-19 situation for possible effects on our employees, our services, and our customers. We know that many organizations playing key roles in fighting the disease, helping those directly ... more

Release: 6.14.4

Hello Everyone! We just published v6.14.4 containing some dependencies updates 😊 You can get the latest release in the usual ways: npm install -g npm@latest 6.14.4 DEPENDENCIES 136832dca [email protected] Bump [email protected] transitive dep to resolve security ... more

Why npm Is My Agency’s Package Manager of Choice to Help Us Grow Quickly

Guest post from npm customer and the f ounder of Rise , Kahl Orr. I run Rise, a fast-growing web design and development agency based in Philadelphia. I started my company after my first job as a developer led to high demand for my services in the form ... more

Release: 6.14.3

A new npm version has been released, v6.14.3! 🎉 You can update to the latest version of the cli in the usual way: $ npm install -g npm@latest Notable updates include: e11167646 [email protected] c5b97d17d fix: bump minimist dep to resolve security issue ... more

Next Phase Montage

tl;dr – Good news! npm, Inc., is being purchased by GitHub. The public registry remains public, free, and as available as ever. npm as you know it continues, and in fact, there is good reason to believe that it’ll only get better. I’m still going to ... more

Release: 6.14.2

A new npm version has been released, v6.14.2! 🎉 You can update to the latest version of the cli in the usual way: $ npm install -g npm@latest Notable updates include: 9204ffa58 [email protected] (@isaacs) 6bcf0860a fix: treat non-http/https login urls ... more

Release: 6.14.1

6.14.1 (2020-02-26) 303e5c11e [email protected] Fixes a regression where scp-style git urls are passed to the WhatWG URL parser, which does not handle them properly. (@isaacs) ... more

Release: 6.14.0

A new npm version has been released, v6.14 ! You can update to the latest version of the cli in the usual way: $ npm install -g npm@latest 🎉 Support for multiple funding entries A big shout-out goes to @ljharb & @ruyadorno for their work on expanding ... more

Incident Report: 403 / 429 Errors for Some Users

At 11:06 UTC, our CDN partner deployed changes intended to detect spurious traffic by observing the “Referer” HTTP request header. This change caused some requests from the npm CLI to be flagged as suspect by the CDN. To our monitoring systems, this ... more

A Day in the Life of npm Security

The JavaScript ecosystem is a lush, fertile, mostly beneficent garden. But even the best gardens need some tending. Much of that tending comes in the form of the continuous research on the part of the npm security team mated with their automated processes ... more

Changes to npm Unpublish Policy - January 2020

TL;DR Until today, you couldn’t unpublish packages, or package versions, older than 72 hours without contacting support (background available here and here). Because this is our most popular support request, we’ve extended the ability for you to unpublish ... more

Release: 6.13.7

Hello Everyone! There is a new release of the npm cli v6.13.7! You can update to the latest version of the cli with the following command: $ npm install -g npm@latest 6.13.7 BUG FIXES 7dbb91438 #655 Update CI detection cases (@isaacs) DEPENDENCIES 0fb1296c7 ... more

Release: 6.13.6

Happy Thursday! We shipped two releases today: v6.13.5 and v6.13.6 😄 You can get the latest release in the usual ways: npm i -g npm@latest 6.13.6 DEPENDENCIES 6dba897a1 [email protected] : d2f4176 fix(git): Do not drop uid/gid when executing in root-owned ... more

npm Privacy Policy Update: California Consumer Privacy Act

The California Consumer Privacy Act went into effect on January 1, 2020. We have updated our privacy FAQ to answer the following questions about our compliance with the CCPA: Does npm comply with the California Consumer Privacy Act? How can I access ... more

npm Security 2019 in Review

A year in review from VP of Security Adam Baldwin (in the style of Harper’s Index): Number of npm tokens revoked that were erroneously published to either the registry or to GitHub: 737 Value, in millions of dollars, of cryptocurrency saved from theft ... more

Binary Planting with the npm CLI

tl;dr - Update to npm v6.13.4 as soon as possible on all your systems to fix a vulnerability allowing arbitrary path access. The Vulnerabilities In versions of npm prior to 6.13.3 (and versions of yarn prior to 1.21.1), a properly constructed entry in ... more

Release: 6.13.4

Second of two important bugfix releases this week. Please enjoy it! npm install -g npm@latest 6.13.4 (2019-12-11) BUGFIXES 320ac9aee npm/bin-links#12 npm/gentle-fs#7 Do not remove global bin/man links inappropriately (@isaacs) DEPENDENCIES 52fd21061 ... more

New Products and a Glimpse Ahead

We’re pleased to announce today the launch of npm Pro, an affordable new tool designed for independent JavaScript developers, and well-suited for consultant work, personal projects, and side hustles. We’re also announcing npm Teams, the new name for ... more

Release: 6.13.3

Just a quick little release to update some deps and fix a few very annoying bugs. Come and get it! npm i -g npm@latest Full release notes: 6.13.3 (2019-12-09) DEPENDENCIES 19ce061a2 [email protected] Properly normalize, sanitize, and verify bin entries ... more

Release: 6.13.2

A new npm version has been released! Get it in the usual ways: npm i -g npm@latest 6.13.2 (2019-12-03) BUG FIXES 4429645b3 #546 fix docs target typo (@richardlau) 867642942 #142 fix(packageRelativePath): fix ‘where’ for file deps (@larsgw) d480f2c17 ... more

Incident Report: npm Registry Service Degradation

From November 21-25, the npm registry experienced periodic service degradation. Alerted to increasing error rates from our monitoring systems and reports from the npm community, our incident response team began investigations on Thursday and has since ... more

npm Security Insights API Preview Part 3: Behavioral Analysis

This is the third in a series of blog posts we’re running to preview and gather input on the new security insights API we’re developing. Previous posts Part 1: Package publication Insights Part 2: Malware Today’s topic: Behavioral Analysis A lot of stuff ... more

Release: 6.13.1

A new npm version has been released! This fixes some bugs and includes changes on the docs by the community! Get it in the usual ways: npm i -g npm@latest 6.13.1 (2019-11-18) BUG FIXES 938d6124d #472 fix(fund): support funding string shorthand (@ruyadorno) ... more

Cool new stuff in [email protected]

npm developer Ruy Adorno writes about his experience cutting his first npm release and two new features available in the CLI › https://dev.to/ruyadorno/npm-6-13-0-7f3 ... more

Updates to Community, Docs & more...

Happy Tuesday! Here on the Community & Open Source Team we’ve been working hard, in front of and behind the scenes, to provide real value and unlock developer potential. With that in mind, I’m happy to announce a number of updates/releases we’ve ... more