| Age | Commit message (Collapse) | Author |
|---|
|
The difference between `adduser` and `login` depends on the `auth-type`.
- `web`: the POST to `/-/v1/login` contains a `{ create: true }` value
in its payload for `adduser`
- `legacy` the `PUT` request to `/-/user/org.couchdb.user:${username}`
contains an `email` value in its payload for `adduser`.
BREAKING CHANGE: `login`, `adduser`, and `auth-type` changes
- This removes all `auth-type` configs except `web` and `legacy`.
- `login` and `adduser` are now separate commands that send different data to the registry.
- `auth-type` config values `web` and `legacy` only try
their respective methods, npm no longer tries them all and waits to see
which one doesn't fail.
|
|
|
|
BREAKING CHANGE: renames most of the `npm access` subcommands
- `edit`, having never been implemented, is removed
- `public` is now `set status=public`
- `restricted` is now `set status=private`
- `ls-packages` is now `list packages`
- `ls-collaborators` is now `list collaborators`
- `2fa-required` is now `set mfa=publish`
- `2fa-not-required` is now `set mfa=none`
- `set mfa=automation` is added
- output is no longer in json by default
Usage:
npm access list packages [<user>|<scope>|<scope:team> [<package>]
npm access list collaborators [<package> [<user>]]
npm access get status [<package>]
npm access set status=public|private [<package>]
npm access set mfa=false|publish|automation [<package>]
npm access grant <read-only|read-write> <scope:team> [<package>]
npm access revoke <scope:team> [<package>]
Options:
[--json] [--otp <otp>] [--registry <registry>]
|
|
BREAKING CHANGE: this removes the `npm birthday` command
|
|
BREAKING CHANGE: this removes `npm set-script`
Folks should use `npm pkg set` to set the `scripts` field in their
`package.json`
Closes https://github.com/npm/statusboard/issues/449
|
|
BREAKING CHANGE: this changes the default value of `install-links` to
true
Closes https://github.com/npm/statusboard/issues/510
|
|
BREAKING CHANGE: this removes the `npm bin` command
The output of this command is misleading and incomplete. The `.bin`
resolution of npm is much more nuanced than this command implies, and
the output of `npm bin` is not something end users should be dealing
with. `npm` itself is responsible for running the `bin` entries of
modules, with the exception of global bins, which end up in the same
folder as `node` itself, presumably already in a user's path since they
can run node.
Closes https://github.com/npm/statusboard/issues/537
|
|
|
|
|
|
|
|
The workspace-location-msg file was being called improperly by `npm
init` and not even tested, and when digging in it probably shouldn't be
used at all from there. It's not always a workspace in this context.
|
|
Lots of bugfixes here, we properly parse ranges and versions, and we
also now work with git repos and gists, and know when they are already
installed.
|
|
feat: add --replace-registry-host=<npmjs|always|never>|<hostname>
|
|
Co-authored-by: Gar <gar+gh@danger.computer>
|
|
checking if its a workspace (#5164)
|
|
* fix: allow link from path with hash character
* fix: allow hash character in path in other places
* Remove extra semicolon
|
|
|
|
Closes #4765
RFC: https://github.com/npm/rfcs/pull/591
While this doesn't directly allow top-level cert/key as credentials (per the
original issue), it's a more targeted/secure approach that accomplishes the
same end-result; the new options are scoped to a specific registry, and the
actual cert/key contents are much less likely to be exposed. See the RFC for
more context.
Depends on:
* https://github.com/npm/npm-registry-fetch/pull/125
* https://github.com/npm/config/pull/69
|
|
|
|
|
|
* feat: add npm audit signatures
Implements [RFC: Improve signature verification](https://github.com/npm/rfcs/pull/550/)
Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](https://github.com/npm/cli/pull/3452))
This command will verify registry signatures stored in the packument against a public key on the registry.
Supporting:
- Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object
- Validates public keys are not expired
- Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys`
- Errors when encountering invalid signatures
- Output: json/human formats
|
|
|
|
(#4960)
Prompt before opening web-login URL when performing login/adduser
|
|
Many of our commands parse their args via
[npm-package-arg](https://npm.im/npm-package-arg), which is a good
standard way of parsing a "package" argument. However the docs
surrounding these args are not very consistent. This can lead to
confusion in commands such as `npm publish` where the behavior is
slightly different than in the past due to this.
This adds a new help command `npm help package-spec` that describes what
this argument is, and can be, and also updates all the commands that
interpret their args this with to refer to them as `<package-spec>`. It
also adds a link to the new help page on their docs pages.
|
|
|
|
* feat: Add --use-webauth flag
* Add docs
* Switch from a separate flag to a variation of auth-type
* Update snapshot
|
|
Adds a minimalistic reify step that updates the installed tree after
initializing a new workspace.
Moved the shared update logic from `lib/commands/version.js` to a
`lib/workspaces/update-workspaces.js` module that is reused between
both `npm version` and `npm init`.
Relates to: https://github.com/npm/rfcs/issues/556
Relates to: https://github.com/npm/cli/pull/4588
|
|
|
|
The tests use real data now, a bare throw that is not a usageError was
also found and changed to a usageError
|
|
The removal of node_modules was happening in a race with the loading of
the virtualTree, and before the validation of the package-lock against
the package.json. This defers the removal till after all that
validation has happened.
It also makes the errors thrown usage errors, and refactors the tests to
be real.
|
|
|
|
* feat(arborist): added flag to omit lockfile resolved
* feat: add flag --omit-lockfile-registry-resolved
Co-authored-by: Caleb ツ Everett <calebev@amazon.com>
|
|
|
|
All three of these commands do the same thing: open a manifest and find
a url inside to open it. The finding of that manifest was not very
consistent across these three commands. Some work with workspaces while
others don't. Some work correctly with `--prefix` while others don't.
This PR consolidates these commands so that they all are consistent in
how they find the manifest being referenced. The specifics of which url
they open are still left to each command. The util that only these
three commands were using was consolidated into their base class.
|
|
It was querying whoami once for every package you starred/unstarred, and
incorrectly trying to determine if you weren't logged in. In fact the
function throws a descriptive message if you're not logged in already.
The whoami check was also racing with the fetch of the packument for
each package you were starring/unstarring meaning you could also get a
random 401 for a private package instead of the 'you need to log in'
message.
unstar was setting an undocumented config item to get the
shared code to unstar. The command already has a name attribute that
tells us what action we are doing so we can just use that.
Finally, the duplicated (and differing) params between the two commands
were consolidated.
|
|
Turns out there were three files that still had no test coverage because
of the combination of the mocks in tests and the coverage map. Removing
the map altogether exposed them.
This PR removes the coverage map and fixes test to cover all lines that
were being missed.
While adding coverage to the `npm search` codebase multiple unneeded
guards and at least one bug was found (it was impossible to exclude
searches based on username). These were fixed.
The `npm view` tests were also refactored to use the real npm object.
Finally, a small inlining of lib/utils/file-exists.js was done.
|
|
As of npm@7, extraneous modules are always auto pruned
|
|
|
|
|
|
|
|
|
|
This code wasn't doing anything special, just dereferencing `name` from
a packument. There is no need for this to exist.
Most of the tests were able to handle having this go away, except for
`npm owner` which had to have its tests rewritten to be real, which of
course surfaced bugs along the way of behavior that was incorrectly
being tested. `npm owner` needs some love to clean up its UX, it throws
or returns inconsistently. I did fix it so that if there is no
package.json in cwd it errored as expected instead of throwing `ENOENT`
which is what it did before.
|
|
|
|
It should happen whenever we read a manifest anyways.
Tests were also rewritten to be real.
|
|
|
|
|
|
chalk is already in use elsewhere and does what we need
|
|
cacache appears to not write everything to the cache by the time doctor
is checking permissions. This limits the permissions error to a single
directory that we know exists by the time the checks run.
|
|
|
|
|
