diff options
author | Rebecca Turner <me@re-becca.org> | 2018-05-12 02:05:48 +0300 |
---|---|---|
committer | Rebecca Turner <me@re-becca.org> | 2018-05-12 02:51:37 +0300 |
commit | bf3cfa7b8b351714c4ec621e1a5867c8450c6fff (patch) | |
tree | 67348807544308a436794d979f32ebb5e8936ae8 /changelogs | |
parent | a91d87072f292564e58dcab508b5a8c6702b9aae (diff) |
doc: Pull in changelogs from last npm@5 releases
Credit: @iarna
Diffstat (limited to 'changelogs')
-rw-r--r-- | changelogs/CHANGELOG-5.md | 209 |
1 files changed, 208 insertions, 1 deletions
diff --git a/changelogs/CHANGELOG-5.md b/changelogs/CHANGELOG-5.md index af04f4d11..019845869 100644 --- a/changelogs/CHANGELOG-5.md +++ b/changelogs/CHANGELOG-5.md @@ -1,4 +1,211 @@ -## v5.10.0 (2018-04-12): +## v5.10.0 (2018-05-10): + +### AUDIT SHOULDN'T WAIT FOREVER + +This will likely be reduced further with the goal that the audit process +shouldn't noticibly slow down your builds regardless of your network +situation. + +* [`3dcc240db`](https://github.com/npm/npm/commit/3dcc240dba5258532990534f1bd8a25d1698b0bf) + Timeout audit requests eventually. + ([@iarna](https://github.com/iarna)) + + +## v5.10.0-next.1 (2018-05-07): + +### EXTENDED `npm init` SCAFFOLDING + +Thanks to the wonderful efforts of [@jdalton](https://github.com/jdalton) of +lodash fame, `npm init` can now be used to invoke custom scaffolding tools! + +You can now do things like `npm init react-app` or `npm init esm` to scaffold an +npm package by running `create-react-app` and `create-esm`, respectively. This +also adds an `npm create` alias, to correspond to Yarn's `yarn create` feature, +which inspired this. + +* [`adc009ed4`](https://github.com/npm/npm/commit/adc009ed4114ed1e692f8ef15123af6040615cee) + [`f363edd04`](https://github.com/npm/npm/commit/f363edd04f474fa64e4d97228c0b2a7858f21e7c) + [`f03b45fb2`](https://github.com/npm/npm/commit/f03b45fb217df066c3cb7715f9c0469d84e5aa8e) + [`13adcbb52`](https://github.com/npm/npm/commit/13adcbb527fb8214e5f2233706c6b72ce072f3fa) + [#20303](https://github.com/npm/npm/pull/20303) + [#20372](https://github.com/npm/npm/pull/20372) + Add an `npm init` feature that calls out to `npx` when invoked with positional + arguments. ([@jdalton](https://github.com/jdalton)) + +### DEPENDENCY AUDITING + +This version of npm adds a new command, `npm audit`, which will run a security +audit of your project's dependency tree and notify you about any actions you may +need to take. + +The registry-side services required for this command to work will be available +on the main npm registry in the coming weeks. Until then, you won't get much out +of trying to use this on the CLI. + +As part of this change, the npm CLI now sends scrubbed and cryptographically +anonymized metadata about your dependency tree to your configured registry, to +allow notifying you about the existence of critical security flaws. For details +about how the CLI protects your privacy when it shares this metadata, see `npm +help audit`, or [read the docs for `npm audit` +online](https://github.com/npm/npm/blob/release-next/doc/cli/npm-audit.md). You +can disable this altogether by doing `npm config set audit false`, but will no +longer benefit from the service. + +* [`c81dfb91b`](https://github.com/npm/npm/commit/c81dfb91bc031f1f979fc200bb66718a7e8e1551) + `npm-registry-fetch@1.1.1` + ([@iarna](https://github.com/iarna)) +* [`b096f44a9`](https://github.com/npm/npm/commit/b096f44a96d185c45305b9b6a5f26d3ccbbf759d) + `npm-audit-report@1.0.9` + ([@iarna](https://github.com/iarna)) +* [`43b20b204`](https://github.com/npm/npm/commit/43b20b204ff9a86319350988d6774397b7da4593) + [#20389](https://github.com/npm/npm/pull/20389) + Add new `npm audit` command. + ([@iarna](https://github.com/iarna)) +* [`49ddb3f56`](https://github.com/npm/npm/commit/49ddb3f5669e90785217a639f936f4e38390eea2) + [#20389](https://github.com/npm/npm/pull/20389) + Temporarily suppress git metadata till there's an opt-in. + ([@iarna](https://github.com/iarna)) +* [`5f1129c4b`](https://github.com/npm/npm/commit/5f1129c4b072172c72cf9cff501885e2c11998ea) + [#20389](https://github.com/npm/npm/pull/20389) + Document the new command. + ([@iarna](https://github.com/iarna)) +* [`9a07b379d`](https://github.com/npm/npm/commit/9a07b379d24d089687867ca34df6e1e6189c72f1) + [#20389](https://github.com/npm/npm/pull/20389) + Default audit to off when running the npm test suite itself. + ([@iarna](https://github.com/iarna)) +* [`a6e2f1284`](https://github.com/npm/npm/commit/a6e2f12849b84709d89b3dc4f096e8c6f7db7ebb) + Make sure we hide stream errors on background audit submissions. Previously some classes + of error could end up being displayed (harmlessly) during installs. + ([@iarna](https://github.com/iarna)) +* [`aadbf3f46`](https://github.com/npm/npm/commit/aadbf3f4695e75b236ee502cbe41e51aec318dc3) + Include session and scope in requests (as we do in other requests to the registry). + ([@iarna](https://github.com/iarna)) +* [`7d43ddf63`](https://github.com/npm/npm/commit/7d43ddf6366d3bfc18ea9ccef8c7b8e43d3b79f5) + Exit with non-zero status when vulnerabilities are found. So you can have `npm audit` as a test or prepublish step! + ([@iarna](https://github.com/iarna)) +* [`bc3fc55fa`](https://github.com/npm/npm/commit/bc3fc55fae648da8efaf1be5b86078f0f736282e) + Verify lockfile integrity before running. You'd get an error either way, but this way it's + faster and can give you more concrete instructions on how to fix it. + ([@iarna](https://github.com/iarna)) +* [`2ac8edd42`](https://github.com/npm/npm/commit/2ac8edd4248f2393b35896f0300b530e7666bb0e) + Refuse to run in global mode. Audits require a lockfile and globals don't have one. Yet. + ([@iarna](https://github.com/iarna)) + +### CTRL-C OUT DURING PACKAGE EXTRACTION AS MUCH AS YOU WANT! + +* [`663d8b5e5`](https://github.com/npm/npm/commit/663d8b5e5427c2243149d2dd6968faa117e9db3f) + [npm/lockfile#29](https://github.com/npm/lockfile/pull/29) + `lockfile@1.0.4`: + Switches to `signal-exit` to detect abnormal exits and remove locks. + ([@Redsandro](https://github.com/Redsandro)) + +### SHRONKWRAPS AND LACKFILES + +If a published modules had legacy `npm-shrinkwrap.json` we were saving +ordinary registry dependencies (`name@version`) to your `package-lock.json` +as `https://` URLs instead of versions. + +* [`36f998411`](https://github.com/npm/npm/commit/36f9984113e39d7b190010a2d0694ee025924dcb) + When saving the lock-file compute how the dependency is being required instead of using + `_resolved` in the `package.json`. This fixes the bug that was converting + registry dependencies into `https://` dependencies. + ([@iarna](https://github.com/iarna)) +* [`113e1a3af`](https://github.com/npm/npm/commit/113e1a3af2f487c753b8871d51924682283c89fc) + When encountering a `https://` URL in our lockfiles that point at our default registry, extract + the version and use them as registry dependencies. This lets us heal + `package-lock.json` files produced by 6.0.0 + ([@iarna](https://github.com/iarna)) + +### MORE `package-lock.json` FORMAT CHANGES?! + +* [`074502916`](https://github.com/npm/npm/commit/0745029168dfdfee0d1823137550e6ebccf741a5) + [#20384](https://github.com/npm/npm/pull/20384) + Add `from` field back into package-lock for git dependencies. This will give + npm the information it needs to figure out whether git deps are valid, + specially when running with legacy install metadata or in + `--package-lock-only` mode when there's no `node_modules`. This should help + remove a significant amount of git-related churn on the lock-file. + ([@zkat](https://github.com/zkat)) + +### DOCUMENTATION IMPROVEMENTS + +* [`e0235ebb6`](https://github.com/npm/npm/commit/e0235ebb6e560f0114b8babedb6949385ab9bd57) + [#20384](https://github.com/npm/npm/pull/20384) + Update the lock-file spec doc to mention that we now generate the from field for `git`-type dependencies. + ([@watilde](https://github.com/watilde)) +* [`35de04676`](https://github.com/npm/npm/commit/35de04676a567ef11e1dd031d566231021d8aff2) + [#20408](https://github.com/npm/npm/pull/20408) + Describe what the colors in outdated mean. + ([@teameh](https://github.com/teameh)) + +### BUGFIXES + +* [`1b535cb9d`](https://github.com/npm/npm/commit/1b535cb9d4a556840aeab2682cc8973495c9919a) + [#20358](https://github.com/npm/npm/pull/20358) + `npm install-test` (aka `npm it`) will no longer generate `package-lock.json` + when running with `--no-package-lock` or `package-lock=false`. + ([@raymondfeng](https://github.com/raymondfeng)) +* [`268f7ac50`](https://github.com/npm/npm/commit/268f7ac508cda352d61df63a2ae7148c54bdff7c) + [`5f84ebdb6`](https://github.com/npm/npm/commit/5f84ebdb66e35486d1dec1ca29e9ba0e4c5b6d5f) + [`c12e61431`](https://github.com/npm/npm/commit/c12e61431ecf4f77e56dc8aa55c41d5d7eeaacad) + [#20390](https://github.com/npm/npm/pull/20390) + Fix a scenario where a git dependency had a comittish associated with it + that was not a complete commitid. `npm` would never consider that entry + in the `package.json` as matching the entry in the `package-lock.json` and + this resulted in inappropriate pruning or reinstallation of git + dependencies. This has been addressed in two ways, first, the addition of the + `from` field as described in [#20384](https://github.com/npm/npm/pull/20384) means + we can exactly match the `package.json`. Second, when that's missing (when working with + older `package-lock.json` files), we assume that the match is ok. (If + it's not, we'll fix it up when a real installation is done.) + ([@iarna](https://github.com/iarna)) + +### DOCS + +* [`7b13bf5e3`](https://github.com/npm/npm/commit/7b13bf5e373e2ae2466ecaa3fd6dcba67a97f462) + [#20331](https://github.com/npm/npm/pull/20331) + Fix broken link to 'private-modules' page. The redirect went away when the new + npm website went up, but the new URL is better anyway. + ([@vipranarayan14](https://github.com/vipranarayan14)) +* [`1c4ffddce`](https://github.com/npm/npm/commit/1c4ffddce05c25ef51e254dfc6a9a97e03c711ce) + [#20279](https://github.com/npm/npm/pull/20279) + Document the `--if-present` option for `npm run-script`. + ([@aleclarson](https://github.com/aleclarson)) + +### DEPENDENCY UPDATES + +* [`815d91ce0`](https://github.com/npm/npm/commit/815d91ce0e8044775e884c1dab93052da57f6650) + `libnpx@10.2.0` + ([@zkat](https://github.com/zkat)) +* [`02715f19f`](https://github.com/npm/npm/commit/02715f19fbcdecec8990b92fc60b1a022c59613b) + `update-notifier@2.5.0` + ([@alexccl](https://github.com/alexccl)) +* [`08c4ddd9e`](https://github.com/npm/npm/commit/08c4ddd9eb560aa6408a1bb1c1d2d9aa6ba46ba0) + `tar@4.4.2` + ([@isaacs](https://github.com/isaacs)) +* [`53718cb12`](https://github.com/npm/npm/commit/53718cb126956851850839b4d7d3041d4e9a80d0) + `tap@11.1.4` + ([@isaacs](https://github.com/isaacs)) +* [`0a20cf546`](https://github.com/npm/npm/commit/0a20cf546a246ac12b5fe2b6235ffb8649336ec4) + `safe-buffer@5.1.2` + ([@feross](https://github.com/feross)) +* [`e8c8e844c`](https://github.com/npm/npm/commit/e8c8e844c194351fe2d65cf3af79ef318bbc8bec) + `retry@0.12.0` + ([@tim-kos](https://github.com/tim-kos)) +* [`76c7f21bd`](https://github.com/npm/npm/commit/76c7f21bd04407d529edc4a76deaa85a2d6b6e6f) + `read-package-tree@5.2.1` + ([@zkat](https://github.com/zkat)) +* [`c8b0aa07b`](https://github.com/npm/npm/commit/c8b0aa07b34a0b0f8bc85154da75d9fb458eb504) + `query-string@6.1.0` + ([@sindresorhus](https://github.com/sindresorhus)) +* [`abfd366b4`](https://github.com/npm/npm/commit/abfd366b4709325f954f2b1ee5bd475330aab828) + `npm-package-arg@6.1.0` + ([@zkat](https://github.com/zkat)) +* [`bd29baf83`](https://github.com/npm/npm/commit/bd29baf834c3e16a9b3d7b60cdb4f462889800bf) + `lock-verify@2.0.2` + ([@iarna](https://github.com/iarna)) + +## v5.10.0-next.0 (2018-04-12): ### NEW FEATURES |