Age | Commit message (Collapse) | Author |
|
|
|
In preparation for @npmcli/eslint-config@3.1.0
|
|
|
|
|
|
|
|
When `--prefix` is used, both the local and global prefix values are set
to be identical. This is functionally broken because their directory
structures are inherently different (for instance, in posix the tree is
in `lib/node_modules` in the global prefix).
This commit makes npm exec ignore the global folders if it detects both
local and global prefix are identical.
|
|
|
|
|
|
The workspace-location-msg file was being called improperly by `npm
init` and not even tested, and when digging in it probably shouldn't be
used at all from there. It's not always a workspace in this context.
|
|
Lots of bugfixes here, we properly parse ranges and versions, and we
also now work with git repos and gists, and know when they are already
installed.
|
|
feat: add --replace-registry-host=<npmjs|always|never>|<hostname>
|
|
new webAuthn flow (#5243)
|
|
Co-authored-by: Gar <gar+gh@danger.computer>
|
|
checking if its a workspace (#5164)
|
|
* fix: allow link from path with hash character
* fix: allow hash character in path in other places
* Remove extra semicolon
|
|
|
|
|
|
This also changes all the log messages about not being able to create
initial directories and files to `log.verbose` since we know run those
commands on init. There are a lot of valid reasons why those might fail,
and we don't want to show a warning for them every time.
Fixes: #4769
Fixes: #4838
Fixes: #4996
|
|
* feat: Add support for web auth, utilizing code from npm-profile
Co-authored-by: Jordan Harband <ljharb@gmail.com>
Co-authored-by: Hayden Faulds <fauldsh@gmail.com>
Co-authored-by: Sandeep Meduru <sandeepmeduru@github.com>
|
|
|
|
It is not supposed to be there, in that it doesn't get any updates and
gets in the way of logging messages. We already log the server we are
publishing to in the `notice` headers so the one `http` log message that
we get during publish isn't needed on stdout.
|
|
Closes #4765
RFC: https://github.com/npm/rfcs/pull/591
While this doesn't directly allow top-level cert/key as credentials (per the
original issue), it's a more targeted/secure approach that accomplishes the
same end-result; the new options are scoped to a specific registry, and the
actual cert/key contents are much less likely to be exposed. See the RFC for
more context.
Depends on:
* https://github.com/npm/npm-registry-fetch/pull/125
* https://github.com/npm/config/pull/69
|
|
|
|
|
|
|
|
|
|
* feat: add npm audit signatures
Implements [RFC: Improve signature verification](https://github.com/npm/rfcs/pull/550/)
Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](https://github.com/npm/cli/pull/3452))
This command will verify registry signatures stored in the packument against a public key on the registry.
Supporting:
- Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object
- Validates public keys are not expired
- Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys`
- Errors when encountering invalid signatures
- Output: json/human formats
|
|
|
|
(#4960)
Prompt before opening web-login URL when performing login/adduser
|
|
This fixes an error in npm show. When calling npm show with a specific
version of a package that does not exist, it does not show anything and
gives a zero exit code. This has been changed: now it gives a 404 Error
similar to if the package does not exist. Can be tested with npm show
express@5.0.0 (local: node bin/npm-cli.js info express@5.0.0)
Fixes #4964
Co-authored-by: @lukaskuhn-lku
Co-authored-by: @ljharb
|
|
Many of our commands parse their args via
[npm-package-arg](https://npm.im/npm-package-arg), which is a good
standard way of parsing a "package" argument. However the docs
surrounding these args are not very consistent. This can lead to
confusion in commands such as `npm publish` where the behavior is
slightly different than in the past due to this.
This adds a new help command `npm help package-spec` that describes what
this argument is, and can be, and also updates all the commands that
interpret their args this with to refer to them as `<package-spec>`. It
also adds a link to the new help page on their docs pages.
|
|
|
|
* feat: Add --use-webauth flag
* Add docs
* Switch from a separate flag to a variation of auth-type
* Update snapshot
|
|
Adds a minimalistic reify step that updates the installed tree after
initializing a new workspace.
Moved the shared update logic from `lib/commands/version.js` to a
`lib/workspaces/update-workspaces.js` module that is reused between
both `npm version` and `npm init`.
Relates to: https://github.com/npm/rfcs/issues/556
Relates to: https://github.com/npm/cli/pull/4588
|
|
|
|
|
|
|
|
The tests use real data now, a bare throw that is not a usageError was
also found and changed to a usageError
|
|
The removal of node_modules was happening in a race with the loading of
the virtualTree, and before the validation of the package-lock against
the package.json. This defers the removal till after all that
validation has happened.
It also makes the errors thrown usage errors, and refactors the tests to
be real.
|
|
|
|
* feat(arborist): added flag to omit lockfile resolved
* feat: add flag --omit-lockfile-registry-resolved
Co-authored-by: Caleb ツ Everett <calebev@amazon.com>
|
|
|
|
All three of these commands do the same thing: open a manifest and find
a url inside to open it. The finding of that manifest was not very
consistent across these three commands. Some work with workspaces while
others don't. Some work correctly with `--prefix` while others don't.
This PR consolidates these commands so that they all are consistent in
how they find the manifest being referenced. The specifics of which url
they open are still left to each command. The util that only these
three commands were using was consolidated into their base class.
|
|
It was querying whoami once for every package you starred/unstarred, and
incorrectly trying to determine if you weren't logged in. In fact the
function throws a descriptive message if you're not logged in already.
The whoami check was also racing with the fetch of the packument for
each package you were starring/unstarring meaning you could also get a
random 401 for a private package instead of the 'you need to log in'
message.
unstar was setting an undocumented config item to get the
shared code to unstar. The command already has a name attribute that
tells us what action we are doing so we can just use that.
Finally, the duplicated (and differing) params between the two commands
were consolidated.
|
|
Turns out there were three files that still had no test coverage because
of the combination of the mocks in tests and the coverage map. Removing
the map altogether exposed them.
This PR removes the coverage map and fixes test to cover all lines that
were being missed.
While adding coverage to the `npm search` codebase multiple unneeded
guards and at least one bug was found (it was impossible to exclude
searches based on username). These were fixed.
The `npm view` tests were also refactored to use the real npm object.
Finally, a small inlining of lib/utils/file-exists.js was done.
|
|
As of npm@7, extraneous modules are always auto pruned
|
|
|
|
|
|
chalk already has a way to disable color output, so if we don't want
color we can disable it there and always use that instance of chalk.
This was only updated in the two commands that have real tests. Doing
it in the other places is going to require making their tests real so
that we don't ALSO have to rewrite their tests just to change their
internal code.
|
|
|