| Age | Commit message (Collapse) | Author |
|---|
|
BREAKING CHANGE: the default `auth-type` config value is now `web`
|
|
(#5480)
* Add a condition to fix third-party registries returning E400
* changed to a separate test.
Co-authored-by: Juan Heyns <jheyns@mit.edu>
|
|
The difference between `adduser` and `login` depends on the `auth-type`.
- `web`: the POST to `/-/v1/login` contains a `{ create: true }` value
in its payload for `adduser`
- `legacy` the `PUT` request to `/-/user/org.couchdb.user:${username}`
contains an `email` value in its payload for `adduser`.
BREAKING CHANGE: `login`, `adduser`, and `auth-type` changes
- This removes all `auth-type` configs except `web` and `legacy`.
- `login` and `adduser` are now separate commands that send different data to the registry.
- `auth-type` config values `web` and `legacy` only try
their respective methods, npm no longer tries them all and waits to see
which one doesn't fail.
|
|
BREAKING CHANGE: renames most of the `npm access` subcommands
- `edit`, having never been implemented, is removed
- `public` is now `set status=public`
- `restricted` is now `set status=private`
- `ls-packages` is now `list packages`
- `ls-collaborators` is now `list collaborators`
- `2fa-required` is now `set mfa=publish`
- `2fa-not-required` is now `set mfa=none`
- `set mfa=automation` is added
- output is no longer in json by default
Usage:
npm access list packages [<user>|<scope>|<scope:team> [<package>]
npm access list collaborators [<package> [<user>]]
npm access get status [<package>]
npm access set status=public|private [<package>]
npm access set mfa=false|publish|automation [<package>]
npm access grant <read-only|read-write> <scope:team> [<package>]
npm access revoke <scope:team> [<package>]
Options:
[--json] [--otp <otp>] [--registry <registry>]
|
|
BREAKING CHANGE: this removes the `npm birthday` command
|
|
BREAKING CHANGE: this removes `npm set-script`
Folks should use `npm pkg set` to set the `scripts` field in their
`package.json`
Closes https://github.com/npm/statusboard/issues/449
|
|
BREAKING CHANGE: this removes the `npm bin` command
The output of this command is misleading and incomplete. The `.bin`
resolution of npm is much more nuanced than this command implies, and
the output of `npm bin` is not something end users should be dealing
with. `npm` itself is responsible for running the `bin` entries of
modules, with the exception of global bins, which end up in the same
folder as `node` itself, presumably already in a user's path since they
can run node.
Closes https://github.com/npm/statusboard/issues/537
|
|
Some of our tests were failing in windows after testing on node 18. The
reason was the inability to clean up the logs dir. This changes forces
a few tests to run in order and also cleans up any use of multiple
`t.testdir` calls in a single child test which can cause problems.
|
|
|
|
In preparation for @npmcli/eslint-config@3.1.0
|
|
|
|
|
|
|
|
* correctly handle nerf-darted env vars
|
|
When `--prefix` is used, both the local and global prefix values are set
to be identical. This is functionally broken because their directory
structures are inherently different (for instance, in posix the tree is
in `lib/node_modules` in the global prefix).
This commit makes npm exec ignore the global folders if it detects both
local and global prefix are identical.
|
|
|
|
|
|
The workspace-location-msg file was being called improperly by `npm
init` and not even tested, and when digging in it probably shouldn't be
used at all from there. It's not always a workspace in this context.
|
|
new webAuthn flow (#5243)
|
|
Co-authored-by: Gar <gar+gh@danger.computer>
|
|
checking if its a workspace (#5164)
|
|
* fix: allow link from path with hash character
* fix: allow hash character in path in other places
* Remove extra semicolon
|
|
|
|
This also changes all the log messages about not being able to create
initial directories and files to `log.verbose` since we know run those
commands on init. There are a lot of valid reasons why those might fail,
and we don't want to show a warning for them every time.
Fixes: #4769
Fixes: #4838
Fixes: #4996
|
|
* feat: Add support for web auth, utilizing code from npm-profile
Co-authored-by: Jordan Harband <ljharb@gmail.com>
Co-authored-by: Hayden Faulds <fauldsh@gmail.com>
Co-authored-by: Sandeep Meduru <sandeepmeduru@github.com>
|
|
Closes #4765
RFC: https://github.com/npm/rfcs/pull/591
While this doesn't directly allow top-level cert/key as credentials (per the
original issue), it's a more targeted/secure approach that accomplishes the
same end-result; the new options are scoped to a specific registry, and the
actual cert/key contents are much less likely to be exposed. See the RFC for
more context.
Depends on:
* https://github.com/npm/npm-registry-fetch/pull/125
* https://github.com/npm/config/pull/69
|
|
|
|
|
|
* feat: add npm audit signatures
Implements [RFC: Improve signature verification](https://github.com/npm/rfcs/pull/550/)
Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](https://github.com/npm/cli/pull/3452))
This command will verify registry signatures stored in the packument against a public key on the registry.
Supporting:
- Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object
- Validates public keys are not expired
- Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys`
- Errors when encountering invalid signatures
- Output: json/human formats
|
|
* deps: @npmcli/run-script@4.1.3
|
|
(#4960)
Prompt before opening web-login URL when performing login/adduser
|
|
This fixes an error in npm show. When calling npm show with a specific
version of a package that does not exist, it does not show anything and
gives a zero exit code. This has been changed: now it gives a 404 Error
similar to if the package does not exist. Can be tested with npm show
express@5.0.0 (local: node bin/npm-cli.js info express@5.0.0)
Fixes #4964
Co-authored-by: @lukaskuhn-lku
Co-authored-by: @ljharb
|
|
|
|
Adds a minimalistic reify step that updates the installed tree after
initializing a new workspace.
Moved the shared update logic from `lib/commands/version.js` to a
`lib/workspaces/update-workspaces.js` module that is reused between
both `npm version` and `npm init`.
Relates to: https://github.com/npm/rfcs/issues/556
Relates to: https://github.com/npm/cli/pull/4588
|
|
|
|
|
|
|
|
The tests use real data now, a bare throw that is not a usageError was
also found and changed to a usageError
|
|
The removal of node_modules was happening in a race with the loading of
the virtualTree, and before the validation of the package-lock against
the package.json. This defers the removal till after all that
validation has happened.
It also makes the errors thrown usage errors, and refactors the tests to
be real.
|
|
|
|
All three of these commands do the same thing: open a manifest and find
a url inside to open it. The finding of that manifest was not very
consistent across these three commands. Some work with workspaces while
others don't. Some work correctly with `--prefix` while others don't.
This PR consolidates these commands so that they all are consistent in
how they find the manifest being referenced. The specifics of which url
they open are still left to each command. The util that only these
three commands were using was consolidated into their base class.
|
|
It was querying whoami once for every package you starred/unstarred, and
incorrectly trying to determine if you weren't logged in. In fact the
function throws a descriptive message if you're not logged in already.
The whoami check was also racing with the fetch of the packument for
each package you were starring/unstarring meaning you could also get a
random 401 for a private package instead of the 'you need to log in'
message.
unstar was setting an undocumented config item to get the
shared code to unstar. The command already has a name attribute that
tells us what action we are doing so we can just use that.
Finally, the duplicated (and differing) params between the two commands
were consolidated.
|
|
Turns out there were three files that still had no test coverage because
of the combination of the mocks in tests and the coverage map. Removing
the map altogether exposed them.
This PR removes the coverage map and fixes test to cover all lines that
were being missed.
While adding coverage to the `npm search` codebase multiple unneeded
guards and at least one bug was found (it was impossible to exclude
searches based on username). These were fixed.
The `npm view` tests were also refactored to use the real npm object.
Finally, a small inlining of lib/utils/file-exists.js was done.
|
|
|
|
|
|
|
|
chalk already has a way to disable color output, so if we don't want
color we can disable it there and always use that instance of chalk.
This was only updated in the two commands that have real tests. Doing
it in the other places is going to require making their tests real so
that we don't ALSO have to rewrite their tests just to change their
internal code.
|
|
|
|
|
|
|
