| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
BREAKING CHANGE: `timing` and `loglevel` changes
- `timing` has been removed as a value for `--loglevel`
- `--timing` will show timing information regardless of
`--loglevel`, except when `--silent`
Closes https://github.com/npm/statusboard/issues/455
Closes https://github.com/npm/statusboard/issues/454
|
|
auth docs
|
|
`npm`, `npm@`, and `npm@*` are all now the same spec
|
|
--global-style, --legacy-bundling (#5709)
BREAKING CHANGE: deprecate boolean install flags in favor of `--install-strategy`
* deprecate --global-style, --global now sets --install-strategy=shallow
* deprecate --legacy-bundling, now sets --install-strategy=nested
|
|
|
|
BREAKING CHANGE: the presence of auth related settings that are not scoped to a specific registry found in a config file is no longer supported and will throw errors
|
|
BREAKING CHANGE: the `node-version` and `npm-version` configs have been
removed.
These are only used sparingly by arborist to determine if optional
dependencies should be installed, and during engines checks (which
are only warnings unless `engine-strict` is true.
|
|
High level overview of the changes here:
- The source for the docs content has moved from `docs/content/` to
`docs/lib/content/`. The generated markdown is still written to
`docs/content/` but that directory is now ignored from git.
- All generated content sections of the docs have been removed and
replaced with single placeholder html comments such as `<!--
AUTOGENERATED CONFIG DESCRIPTIONS -->`
- Placeholders are replaced with generated content only as part of the
`prepack` step, so generated markdown is no longer checked in to
source and all docs related `make` commands have been removed
- All docs (and docs related) snapshots have been moved to a single test
file that outputs command usage and formats it with functions imported
from `docs/lib/index.js`. So tests will fail if docs content changes
until `npm run snap` is run.
|
|
|
|
|
|
|
|
The cache command itself contains this config making it a circular reference
|
|
This also lands the latest `pacote` which now requires passing in an
`Arborist` constructor for use in loading the package tree that gets
passed to `npm-packlist`.
BREAKING CHANGE: `npm pack` now follows a strict order of operations
when applying ignore rules. If a files array is present in the
package.json, then rules in .gitignore and .npmignore files from the
root will be ignored.
|
|
|
|
Also refactor all files written to the logs directory to use the same
code path for file name creation.
|
|
BREAKING CHANGE: `--timing` file changes:
- When run with the `--timing` flag, `npm` now writes timing data to a
file alongside the debug log data, respecting the `logs-dir` option and
falling back to `<CACHE>/_logs/` dir, instead of directly inside the
cache directory.
- The timing file data is no longer newline delimited JSON, and instead
each run will create a uniquely named `<ID>-timing.json` file, with the
`<ID>` portion being the same as the debug log.
- Finally, the data inside the file now has three top level keys,
`metadata`, `timers, and `unfinishedTimers` instead of everything being
a top level key.
Closes https://github.com/npm/statusboard/issues/456
|
|
BREAKING CHANGE: the default `auth-type` config value is now `web`
|
|
|
|
The difference between `adduser` and `login` depends on the `auth-type`.
- `web`: the POST to `/-/v1/login` contains a `{ create: true }` value
in its payload for `adduser`
- `legacy` the `PUT` request to `/-/user/org.couchdb.user:${username}`
contains an `email` value in its payload for `adduser`.
BREAKING CHANGE: `login`, `adduser`, and `auth-type` changes
- This removes all `auth-type` configs except `web` and `legacy`.
- `login` and `adduser` are now separate commands that send different data to the registry.
- `auth-type` config values `web` and `legacy` only try
their respective methods, npm no longer tries them all and waits to see
which one doesn't fail.
|
|
|
|
BREAKING CHANGE: renames most of the `npm access` subcommands
- `edit`, having never been implemented, is removed
- `public` is now `set status=public`
- `restricted` is now `set status=private`
- `ls-packages` is now `list packages`
- `ls-collaborators` is now `list collaborators`
- `2fa-required` is now `set mfa=publish`
- `2fa-not-required` is now `set mfa=none`
- `set mfa=automation` is added
- output is no longer in json by default
Usage:
npm access list packages [<user>|<scope>|<scope:team> [<package>]
npm access list collaborators [<package> [<user>]]
npm access get status [<package>]
npm access set status=public|private [<package>]
npm access set mfa=false|publish|automation [<package>]
npm access grant <read-only|read-write> <scope:team> [<package>]
npm access revoke <scope:team> [<package>]
Options:
[--json] [--otp <otp>] [--registry <registry>]
|
|
BREAKING CHANGE: this removes the `npm birthday` command
|
|
BREAKING CHANGE: this removes `npm set-script`
Folks should use `npm pkg set` to set the `scripts` field in their
`package.json`
Closes https://github.com/npm/statusboard/issues/449
|
|
BREAKING CHANGE: this changes the default value of `install-links` to
true
Closes https://github.com/npm/statusboard/issues/510
|
|
BREAKING CHANGE: this removes the `npm bin` command
The output of this command is misleading and incomplete. The `.bin`
resolution of npm is much more nuanced than this command implies, and
the output of `npm bin` is not something end users should be dealing
with. `npm` itself is responsible for running the `bin` entries of
modules, with the exception of global bins, which end up in the same
folder as `node` itself, presumably already in a user's path since they
can run node.
Closes https://github.com/npm/statusboard/issues/537
|
|
|
|
|
|
|
|
The workspace-location-msg file was being called improperly by `npm
init` and not even tested, and when digging in it probably shouldn't be
used at all from there. It's not always a workspace in this context.
|
|
Lots of bugfixes here, we properly parse ranges and versions, and we
also now work with git repos and gists, and know when they are already
installed.
|
|
feat: add --replace-registry-host=<npmjs|always|never>|<hostname>
|
|
Co-authored-by: Gar <gar+gh@danger.computer>
|
|
checking if its a workspace (#5164)
|
|
* fix: allow link from path with hash character
* fix: allow hash character in path in other places
* Remove extra semicolon
|
|
|
|
Closes #4765
RFC: https://github.com/npm/rfcs/pull/591
While this doesn't directly allow top-level cert/key as credentials (per the
original issue), it's a more targeted/secure approach that accomplishes the
same end-result; the new options are scoped to a specific registry, and the
actual cert/key contents are much less likely to be exposed. See the RFC for
more context.
Depends on:
* https://github.com/npm/npm-registry-fetch/pull/125
* https://github.com/npm/config/pull/69
|
|
|
|
|
|
* feat: add npm audit signatures
Implements [RFC: Improve signature verification](https://github.com/npm/rfcs/pull/550/)
Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](https://github.com/npm/cli/pull/3452))
This command will verify registry signatures stored in the packument against a public key on the registry.
Supporting:
- Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object
- Validates public keys are not expired
- Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys`
- Errors when encountering invalid signatures
- Output: json/human formats
|
|
|
|
(#4960)
Prompt before opening web-login URL when performing login/adduser
|
|
Many of our commands parse their args via
[npm-package-arg](https://npm.im/npm-package-arg), which is a good
standard way of parsing a "package" argument. However the docs
surrounding these args are not very consistent. This can lead to
confusion in commands such as `npm publish` where the behavior is
slightly different than in the past due to this.
This adds a new help command `npm help package-spec` that describes what
this argument is, and can be, and also updates all the commands that
interpret their args this with to refer to them as `<package-spec>`. It
also adds a link to the new help page on their docs pages.
|
|
|
|
* feat: Add --use-webauth flag
* Add docs
* Switch from a separate flag to a variation of auth-type
* Update snapshot
|
|
Adds a minimalistic reify step that updates the installed tree after
initializing a new workspace.
Moved the shared update logic from `lib/commands/version.js` to a
`lib/workspaces/update-workspaces.js` module that is reused between
both `npm version` and `npm init`.
Relates to: https://github.com/npm/rfcs/issues/556
Relates to: https://github.com/npm/cli/pull/4588
|
|
|
|
The tests use real data now, a bare throw that is not a usageError was
also found and changed to a usageError
|
|
The removal of node_modules was happening in a race with the loading of
the virtualTree, and before the validation of the package-lock against
the package.json. This defers the removal till after all that
validation has happened.
It also makes the errors thrown usage errors, and refactors the tests to
be real.
|
