Age | Commit message (Collapse) | Author |
|
|
|
Added link deps need to be relative to the package they're being added
to, not the project root. In the past the project root was the only
place you could add things but workspaces changed this.
|
|
|
|
|
|
(#5233)
by passing in the edge we can determine if the edge is overridden, and if it is the path we want to return is the project root since that's what user's will have define their overrides relative to
|
|
|
|
|
|
run-script update changed cmd signatures
|
|
|
|
when set, installLinks instructs arborist to pack and extract a file:
dependency rather than creating a symlink to it. this has the effect of
also installing the dependencies for the linked dependency, though if
local changes are made it also requires the user to reinstall the
package
|
|
Link target from the root
|
|
When generating an audit report, a cache of seen advisories is kept to
avoid doing any repeat fanout work on its nodes. Previously this cache
was also preventing audits from being added to the report. This has been
fixed so the cache is only used to prevent extra work, but all valid
advisories are added to the output.
Fixes #4681
|
|
|
|
new metavuln-calculator fields
|
|
|
|
|
|
When declaring dependencies to workspaces the common practice is to
refer to their version numbers, currently the cli adds a link reference
instead of the proper semver range when trying to install/declare as a
direct direct dependency one of its own workspaces.
This change fixes it by adding a new condition for handling workspace
edges when saving the current ideal tree.
Relates to: https://github.com/npm/cli/issues/3403
|
|
|
|
Arborist was not loading the actual tree when using named updates for
global updates, that would result in removing all previously installed
deps from a global install anytime the user would try to run
`npm update <pkgname>`.
This changeset fixes the problem by allowing the load of the actual tree
if the `global` and `update.names` options are defined.
Added a few more tests to illustrate but some of the snapshots already
included were actually demonstrating the problem by having empty trees
as result, these are now also updated with the expected tree result.
Fixes: https://github.com/npm/cli/issues/3175
|
|
closes #3637
|
|
Previously `npm update` was not respecting the `save` option, it
would be impossible for users to use `npm update` and automatically
update their `package.json` files.
This fixes it by adding extra steps on `Arborist.reify._saveIdealTree`
to read direct dependencies of any `package.json` and update them as
needed when reifying using the `update` and `save` options.
- Uses config.isDefault to set a different value for the `save` config
for both the update and dedupe commands
- Tweaks arborist to make sure saveIdealTree preserves the behavior of
skipping writing to package-lock.json on save=false for install while
still writing the lockfile for `npm update` with its new default value
of save=false.
- Updated and added some new tests on arborist to cover for these tweaks
- Added `npm update --save` smoke test on cli
Fixes: https://github.com/npm/cli/issues/708
Fixes: https://github.com/npm/cli/issues/2704
Relates to: https://github.com/npm/feedback/discussions/270
|
|
It turns out that `new Arborist().buildIdealTree().meta.toString()` does
not take into account the indentation in the package.json (tabs, in my
case) the way `npm install --package-lock-only` does.
This fixes that. Also included a bonus commit that removes redundant
Promise stuff inside an `async function`.
|
|
shrinkwrap contents without saving (#4181)
|
|
Added libnpm workspaces and arborist
|