### v3.3.0 (2015-08-13): This is a pretty EXCITING week. But I may be a little excitable– or possibly sleep deprived, it's sometimes hard to tell them apart. =D So [Kat](https://github.com/zkat) really went the extra mile this week and got the client side support for teams and orgs out in this week's 2.x release. You can't use that just yet, 'cause we have to turn on some server side stuff too, but this way it'll be there for you all the moment we do! Check out the details over in the [2.14.0 release notes](https://github.com/npm/npm/releases/tag/v2.14.0)! But we over here in 3.x ALSO got a new feature this week, check out the new `--only` and `--also` flags for better control over when dev and production dependencies are used by various npm commands. That, and some important bug fixes round out this week. Enjoy everyone! #### NEVER SHALL NOT BETA THE BETA **_THIS IS BETA SOFTWARE_**. EXCITING NEW BETA WARNING!!! Ok, I fibbed, EXACTLY THE SAME BETA WARNINGS: `npm@3` will remain in beta until we're confident that it's stable and have assessed the effect of the breaking changes on the community. During that time we will still be doing `npm@2` releases, with `npm@2` tagged as `latest` and `next`. We'll _also_ be publishing new releases of `npm@3` as `npm@v3.x-next` and `npm@v3.x-latest` alongside those versions until we're ready to switch everyone over to `npm@3`. We need your help to find and fix its remaining bugs. It's a significant rewrite, so we are _sure_ there still significant bugs remaining. So do us a solid and deploy it in non-critical CI environments and for day-to-day use, but maybe don't use it for production maintenance or frontline continuous deployment just yet. #### ONLY ALSO DEV Hey we've got a SUPER cool new feature for you all, thanks to the fantastic work of [@davglass](https://github.com/davglass) and [@bengl](https://github.com/bengl) we have `--only=prod`, `--only=dev`, `--also=prod` and `--also=dev` options. These apply in various ways to: `npm install`, `npm ls`, `npm outdated` and `npm update`. So for instance: ``` npm install --only=dev ``` Only installs dev dependencies. By contrast: ``` npm install --only=prod ``` Will only install prod dependencies and is very similar to `--production` but differs in that it doesn't set the environment variables that `--production` does. The related new flag, `--also` is most useful with things like: ``` npm shrinkwrap --also=dev ``` As shrinkwraps don't include dev deps by default. This replaces passing in `--dev` in that scenario. And that leads into the fact that this deprecates `--dev` as its semantics across commands were inconsistent and confusing. * [`3ab1eea`](https://github.com/npm/npm/commit/3ab1eea) [#9024](https://github.com/npm/npm/pull/9024) Add support for `--only`, `--also` and deprecate `--dev` ([@bengl](https://github.com/bengl)) #### DON'T TOUCH! THAT'S NOT YOUR BIN * [`b31812e`](https://github.com/npm/npm/commit/b31812e) [#8996](https://github.com/npm/npm/pull/8996) When removing a module that has bin files, if one that we're going to remove is a symlink to a DIFFERENT module, leave it alone. This only happens when you have two modules that try to provide the same bin. ([@iarna](https://github.com/iarna)) #### THERE'S AN END IN SIGHT * [`d2178a9`](https://github.com/npm/npm/commit/d2178a9) [#9223](https://github.com/npm/npm/pull/9223) Close a bunch of infinite loops that could show up with symlink cycles in your dependencies. ([@iarna](https://github.com/iarna)) #### OOPS DIDN'T MEAN TO FIX THAT Well, not _just_ yet. This was scheduled for next week, but it snuck into 2.x this week. * [`139dd92`](https://github.com/npm/npm/commit/139dd92) [#8716](https://github.com/npm/npm/pull/8716) `npm init` will now only pick up the modules you install, not everything else that got flattened with them. ([@iarna](https://github.com/iarna)) ### v2.14.0 (2015-08-13): #### IT'S HERE! KINDA! This release adds support for teens and orcs (err, teams and organizations) to the npm CLI! Note that the web site and registry-side features of this are still not ready for public consumption. A beta should be starting in the next couple of weeks, and the features themselves will become public once all that's done. Keep an eye out for more news! All of these changes were done under [`#9011`](https://github.com/npm/npm/pull/9011): * [`6424170`](https://github.com/npm/npm/commit/6424170fc17c666a6efc090370ec691e0cab1792) Added new `npm team` command and subcommands. ([@zkat](https://github.com/zkat)) * [`52220d1`](https://github.com/npm/npm/commit/52220d146d474ec29b683bd99c06f75cbd46a9f4) Added documentation for new `npm team` command. ([@zkat](https://github.com/zkat)) * [`4e66830`](https://github.com/npm/npm/commit/4e668304850d02df8eb27a779fda76fe5de645e7) Updated `npm access` to support teams and organizations. ([@zkat](https://github.com/zkat)) * [`ea3eb87`](https://github.com/npm/npm/commit/ea3eb8733d9fa09ce34106b1b19fb1a8f95844a5) Gussied up docs for `npm access` with new commands. ([@zkat](https://github.com/zkat)) * [`6e0b431`](https://github.com/npm/npm/commit/6e0b431c1de5e329c86e57d097aa88ebfedea864) Fix up `npm whoami` to make the underlying API usable elsewhere. ([@zkat](https://github.com/zkat)) * [`f29c931`](https://github.com/npm/npm/commit/f29c931012ce5ccd69c29d83548f27e443bf7e62) `npm-registry-client@7.0.1`: Upgrade `npm-registry-client` API to support `team` and `access` calls against the registry. ([@zkat](https://github.com/zkat)) #### A FEW EXTRA VERSION BUMPS * [`c977e12`](https://github.com/npm/npm/commit/c977e12cbfa50c2f52fc807f5cc19ba1cc1b39bf) `init-package-json@1.8.0`: Checks for some `npm@3` metadata. ([@iarna](https://github.com/iarna)) * [`5c8c9e5`](https://github.com/npm/npm/commit/5c8c9e5ae177ba7d0d298cfa42f3fc7f0271e4ec) `columnify@1.5.2`: Updated some dependencies. ([@timoxley](https://github.com/timoxley)) * [`5d56742`](https://github.com/npm/npm/commit/5d567425768b75aeab402c817a53d8b2bc60d8de) `chownr@1.0.1`: Tests, docs, and minor style nits. ([@isaacs](https://github.com/isaacs)) #### ALSO A DOC FIX * [`846fcc7`](https://github.com/npm/npm/commit/846fcc79b86984b109a97366b0422f995a45f8bf) [`#9200`](https://github.com/npm/npm/pull/9200) Remove single quotes around semver range, thus making it valid semver. ([@KenanY](https://github.com/KenanY)) ### v3.2.2 (2015-08-08): Lot's of lovely bug fixes for `npm@3`. I'm also suuuuper excited that I think we have a handle on stack explosions that effect a small portion of our users. We also have some tantalizing clues as to where some low hanging fruit may be for performance issues. And of course, in addition to the npm@3 specific bug fixes, there are some great one's coming in from npm@2! [@othiym23](https://github.com/othiym23) put together that release this week– check out its [release notes](https://github.com/npm/npm/releases/tag/v2.13.4) for the deets. #### AS ALWAYS STILL BETA **_THIS IS BETA SOFTWARE_**. Just like the airline safety announcements, we're not taking this plane off till we finish telling you: `npm@3` will remain in beta until we're confident that it's stable and have assessed the effect of the breaking changes on the community. During that time we will still be doing `npm@2` releases, with `npm@2` tagged as `latest` and `next`. We'll _also_ be publishing new releases of `npm@3` as `npm@v3.x-next` and `npm@v3.x-latest` alongside those versions until we're ready to switch everyone over to `npm@3`. We need your help to find and fix its remaining bugs. It's a significant rewrite, so we are _sure_ there still significant bugs remaining. So do us a solid and deploy it in non-critical CI environments and for day-to-day use, but maybe don't use it for production maintenance or frontline continuous deployment just yet. #### BUG FIXES * [`a8c8a13`](https://github.com/npm/npm/commit/a8c8a13) [#9050](https://github.com/npm/npm/issues/9050) Resolve peer deps relative to the parent of the requirer ([@iarna](http://github.com/iarna)) * [`05f0226`](https://github.com/npm/npm/commit/05f0226) [#9077](https://github.com/npm/npm/issues/9077) Fix crash when saving `git+ssh` urls ([@iarna](http://github.com/iarna)) * [`e4a3808`](https://github.com/npm/npm/commit/e4a3808) [#8951](https://github.com/npm/npm/issues/8951) Extend our patch to allow `*` to match something when a package only has prerelease versions to everything and not just the cache. ([@iarna](http://github.com/iarna)) * [`d135abf`](https://github.com/npm/npm/commit/d135abf) [#8871](https://github.com/npm/npm/issues/8871) Don't warn about a missing `package.json` or missing fields in the global install directory. ([@iarna](http://github.com/iarna)) #### DEP VERSION BUMPS * [`990ee4f`](https://github.com/npm/npm/commit/990ee4f) path-is-inside@1.0.1 ([@domenic](https://github.com/domenic)) * [`1f71ec0`](https://github.com/npm/npm/commit/1f71ec0) lodash.clonedeep@3.0.2 ([@jdalton](https://github.com/jdalton)) * [`a091354`](https://github.com/npm/npm/commit/a091354) marked@0.3.5 ([@chjj](https://github.com/chjj)) * [`fc51f28`](https://github.com/npm/npm/commit/fc51f28) tap@1.3.2 ([@isaacs](https://github.com/isaacs)) * [`3569ec0`](https://github.com/npm/npm/commit/3569ec0) nock@2.10.0 ([@pgte](https://github.com/pgte)) * [`ad5f6fd`](https://github.com/npm/npm/commit/ad5f6fd) npm-registry-mock@1.0.1 ([@isaacs](https://github.com/isaacs)) ### v2.13.5 (2015-08-07): This is another quiet week for the `npm@2` release. [@zkat](https://github.com/zkat) has been working hard on polishing the CLI bits of the registry's new feature to support direct management of teams and organizations, and [@iarna](https://github.com/iarna) continues to work through the list of issues blocking the general release of `npm@3`, which is looking more and more solid all the time. [@othiym23](https://github.com/othiym23) and [@zkat](https://github.com/zkat) have also been at this week's Node.js / io.js [collaborator summit](https://github.com/nodejs/summit/tree/master), both as facilitators and participants. This is a valuable opportunity to get some face time with other contributors and to work through a bunch of important discussions, but it does leave us feeling kind of sleepy. Running meetings is hard! What does that leave for this release? A few of the more tricky bug fixes that have been sitting around for a little while now, and a couple dependency upgrades. Nothing too fancy, but most of these were contributed by developers like _you_, which we think is swell. Thanks! #### BUG FIXES * [`d7271b8`](https://github.com/npm/npm/commit/d7271b8226712479cdd339bf85faf7e394923e0d) [#4530](https://github.com/npm/npm/issues/4530) The bash completion script for npm no longer alters global completion behavior around word breaks. ([@whitty](https://github.com/whitty)) * [`c9ce294`](https://github.com/npm/npm/commit/c9ce29415a0a8fc610690b6e9d91b64d6e36cfcc) [#7198](https://github.com/npm/npm/issues/7198) When setting up dependencies to be shared via `npm link `, only run the lifecycle scripts during the original link, not when running `npm link ` or `npm install --link` against them. ([@murgatroid99](https://github.com/murgatroid99)) * [`422da66`](https://github.com/npm/npm/commit/422da664bd3ce71313da447f170507faf5aac46a) [#9108](https://github.com/npm/npm/issues/9108) Clear up minor confusion around wording in `bundledDependencies` section of `package.json` docs. ([@derekpeterson](https://github.com/derekpeterson)) * [`6b42d99`](https://github.com/npm/npm/commit/6b42d99460885e715772d3487b1c548d2bc8a738) [#9146](https://github.com/npm/npm/issues/9146) Include scripts that run for `preversion`, `version`, and `postversion` in the section for lifecycle scripts rather than the generic `npm run-script` output. ([@othiym23](https://github.com/othiym23)) #### NOPE, NOT DONE WITH DEPENDENCY UPDATES * [`91a48bb`](https://github.com/npm/npm/commit/91a48bb5ef5a990781c86f8b69b8a32cf4fac2d9) `chmodr@1.0.1`: Ignore symbolic links when recursively changing mode, just like the Unix command. ([@isaacs](https://github.com/isaacs)) * [`4bbc86e`](https://github.com/npm/npm/commit/4bbc86e3825e2eee9a8758ba26bdea0cb6a2581e) `nock@2.10.0` ([@pgte](https://github.com/pgte)) ### v3.2.1 (2015-07-31): #### AN EXTRA QUIET RELEASE A bunch of stuff got deferred for various reasons, which just means more branches to land next week! Don't forget to check out [Kat's 2.x release](https://github.com/npm/npm/releases/tag/v2.13.4) for other quiet goodies. #### AS ALWAYS STILL BETA **_THIS IS BETA SOFTWARE_**. Yes, we're still reminding you of this. No, you can't be excused. `npm@3` will remain in beta until we're confident that it's stable and have assessed the effect of the breaking changes on the community. During that time we will still be doing `npm@2` releases, with `npm@2` tagged as `latest` and `next`. We'll _also_ be publishing new releases of `npm@3` as `npm@v3.x-next` and `npm@v3.x-latest` alongside those versions until we're ready to switch everyone over to `npm@3`. We need your help to find and fix its remaining bugs. It's a significant rewrite, so we are _sure_ there still significant bugs remaining. So do us a solid and deploy it in non-critical CI environments and for day-to-day use, but maybe don't use it for production maintenance or frontline continuous deployment just yet. #### MAKING OUR TESTS TEST THE THING THEY TEST * [`6e53c3d`](https://github.com/npm/npm/commit/6e53c3d) [#8985](https://github.com/npm/npm/pull/8985) Many thanks to @bengl for noticing that one of our tests wasn't testing what it claimed it was testing! ([@bengl](https://github.com/bengl)) #### MY PACKAGE.JSON WAS ALREADY IN THE RIGHT ORDER * [`eb2c7aa`](https://github.com/npm/npm/commit/d00d0f) [#9068](https://github.com/npm/npm/pull/9079) Stop sorting keys in the `package.json` that we haven't edited. Many thanks to [@Qix-](https://github.com/Qix-) for bringing this up and providing a first pass at a patch for this. ([@iarna](https://github.com/iarna)) #### DEV DEP UPDATE * [`555f60c`](https://github.com/npm/npm/commit/555f60c) marked@0.3.4 ### v2.13.4 (2015-07-30): #### JULY ENDS ON A FAIRLY QUIET NOTE Hey everyone! I hope you've had a great week. We're having a fairly small release this week while we wrap up Teams and Orgs (or, as we've taken to calling it internally, _Teens and Orcs_). In other exciting news, a bunch of us are gonna be at the [Node.js Collaborator Summit](https://github.com/nodejs/summit/issues/1), and you can also find us at [wafflejs](https://wafflejs.com/) on Wednesday. Hopefully we'll be seeing some of you there. :) #### THE PATCH!!! So here it is. The patch. Hope it helps. (Thanks, [@ktarplee](https://github.com/ktarplee)!) * [`2e58c48`](https://github.com/npm/npm/commit/2e58c4819e3cafe4ae23ab7f4a520fe09258cfd7) [#9033](https://github.com/npm/npm/pull/9033) `npm version` now works on git submodules ([@ktarplee](https://github.com/ktarplee)) #### OH AND THERE'S A DEV DEPENDENCIES UPDATE Hooray. * [`d204683`](https://github.com/npm/npm/commit/d2046839d471322e61e3ceb0f00e78e5c481f967) nock@2.9.1 ([@pgte](https://github.com/pgte)) ### v3.2.0 (2015-07-24): #### MORE CONFIG, BETTER WINDOWS AND A BUG FIX This is a smallish release with a new config option and some bug fixes. And lots of module updates. #### BETA BETAS ON **_THIS IS BETA SOFTWARE_**. Yes, we're still reminding you of this. No, you can't be excused. `npm@3` will remain in beta until we're confident that it's stable and have assessed the effect of the breaking changes on the community. During that time we will still be doing `npm@2` releases, with `npm@2` tagged as `latest` and `next`. We'll _also_ be publishing new releases of `npm@3` as `npm@v3.x-next` and `npm@v3.x-latest` alongside those versions until we're ready to switch everyone over to `npm@3`. We need your help to find and fix its remaining bugs. It's a significant rewrite, so we are _sure_ there still significant bugs remaining. So do us a solid and deploy it in non-critical CI environments and for day-to-day use, but maybe don't use it for production maintenance or frontline continuous deployment just yet. #### NEW CONFIGS, LESS PROGRESS * [`423d8f7`](https://github.com/npm/npm/commit/423d8f7) [#8704](https://github.com/npm/npm/issues/8704) Add the ability to disable the new progress bar with `--no-progress` ([@iarna](https://github.com/iarna)) #### AND BUG FIXES * [`b3ee452`](https://github.com/npm/npm/commit/b3ee452) [#9038](https://github.com/npm/npm/pull/9038) We previously disabled the use of the new `fs.access` API on Windows, but the bug we were seeing is fixed in io.js@1.5.0 so we now use `fs.access` if you're using that version or greater. ([@iarna](https://github.com/iarna)) * [`b181fa3`](https://github.com/npm/npm/commit/b181fa3) [#8921](https://github.com/npm/npm/issues/8921) [#8637](https://github.com/npm/npm/issues/8637) Rejigger how we validate modules for install. This allow is to fix a problem where arch/os checking wasn't being done at all. It also made it easy to add back in a check that declines to install a module in itself unless you force it. ([@iarna](https://github.com/iarna)) #### AND A WHOLE BUNCH OF SUBDEP VERSIONS These are all development dependencies and semver-compatible subdep upgrades, so they should not have visible impact on users. * [`6b3f6d9`](https://github.com/npm/npm/commit/6b3f6d9) standard@4.3.3 * [`f4e22e5`](https://github.com/npm/npm/commit/f4e22e5) readable-stream@2.0.2 (inside concat-stream) * [`f130bfc`](https://github.com/npm/npm/commit/f130bfc) minimatch@2.0.10 (inside node-gyp's copy of glob) * [`36c6a0d`](https://github.com/npm/npm/commit/36c6a0d) caseless@0.11.0 * [`80df59c`](https://github.com/npm/npm/commit/80df59c) chalk@1.1.0 * [`ea935d9`](https://github.com/npm/npm/commit/ea935d9) bluebird@2.9.34 * [`3588a0c`](https://github.com/npm/npm/commit/3588a0c) extend@3.0.0 * [`c6a8450`](https://github.com/npm/npm/commit/c6a8450) form-data@1.0.0-rc2 * [`a04925b`](https://github.com/npm/npm/commit/a04925b) har-validator@1.8.0 * [`ee7c095`](https://github.com/npm/npm/commit/ee7c095) has-ansi@2.0.0 * [`944fc34`](https://github.com/npm/npm/commit/944fc34) hawk@3.1.0 * [`783dc7b`](https://github.com/npm/npm/commit/783dc7b) lodash._basecallback@3.3.1 * [`acef0fe`](https://github.com/npm/npm/commit/acef0fe) lodash._baseclone@3.3.0 * [`dfe959a`](https://github.com/npm/npm/commit/dfe959a) lodash._basedifference@3.0.3 * [`a03bc76`](https://github.com/npm/npm/commit/a03bc76) lodash._baseflatten@3.1.4 * [`8a07d50`](https://github.com/npm/npm/commit/8a07d50) lodash._basetostring@3.0.1 * [`7785e3f`](https://github.com/npm/npm/commit/7785e3f) lodash._baseuniq@3.0.3 * [`826fb35`](https://github.com/npm/npm/commit/826fb35) lodash._createcache@3.1.2 * [`76030b3`](https://github.com/npm/npm/commit/76030b3) lodash._createpadding@3.6.1 * [`1a49ec6`](https://github.com/npm/npm/commit/1a49ec6) lodash._getnative@3.9.1 * [`eebe47f`](https://github.com/npm/npm/commit/eebe47f) lodash.isarguments@3.0.4 * [`09994d4`](https://github.com/npm/npm/commit/09994d4) lodash.isarray@3.0.4 * [`b6f8dbf`](https://github.com/npm/npm/commit/b6f8dbf) lodash.keys@3.1.2 * [`c67dd6b`](https://github.com/npm/npm/commit/c67dd6b) lodash.pad@3.1.1 * [`4add042`](https://github.com/npm/npm/commit/4add042) lodash.repeat@3.0.1 * [`e04993c`](https://github.com/npm/npm/commit/e04993c) lru-cache@2.6.5 * [`2ed7da4`](https://github.com/npm/npm/commit/2ed7da4) mime-db@1.15.0 * [`ae08244`](https://github.com/npm/npm/commit/ae08244) mime-types@2.1.3 * [`e71410e`](https://github.com/npm/npm/commit/e71410e) os-homedir@1.0.1 * [`67c13e0`](https://github.com/npm/npm/commit/67c13e0) process-nextick-args@1.0.2 * [`12ee041`](https://github.com/npm/npm/commit/12ee041) qs@4.0.0 * [`15564a6`](https://github.com/npm/npm/commit/15564a6) spdx-license-ids@1.0.2 * [`8733bff`](https://github.com/npm/npm/commit/8733bff) supports-color@2.0.0 * [`230943c`](https://github.com/npm/npm/commit/230943c) tunnel-agent@0.4.1 * [`26a4653`](https://github.com/npm/npm/commit/26a4653) ansi-styles@2.1.0 * [`3d27081`](https://github.com/npm/npm/commit/3d27081) bl@1.0.0 * [`9efa110`](https://github.com/npm/npm/commit/9efa110) async@1.4.0 #### MERGED FORWARD * As usual, we've ported all the npm@2 goodies in this week's [v2.13.3](https://github.com/npm/npm/releases/tag/v2.13.3) release. ### v2.13.3 (2015-07-23): #### I'M SAVING THE GOOD JOKES FOR MORE INTERESTING RELEASES It's pretty hard to outdo last week's release buuuuut~ I promise I'll have a treat when we release our shiny new **Teams and Organizations** feature! :D (Coming Soon™). It'll be a real *gem*. That means it's a pretty low-key release this week. We got some nice documentation tweaks, a few bugfixes, and other such things, though! Oh, and a _bunch of version bumps_. Thanks, `semver`! #### IT'S THE LITTLE THINGS THAT MATTER * [`2fac6ae`](https://github.com/npm/npm/commit/2fac6aeffefba2934c3db395b525d931599c34d8) [#9012](https://github.com/npm/npm/issues/9012) A convenience for releases -- using the globally-installed npm before now was causing minor annoyances, so we just use the exact same npm we're releasing to build the new release. ([@zkat](https://github.com/zkat)) #### WHAT DOES THIS BUTTON DO? There's a couple of doc updates! The last one might be interesting. * [`4cd3205`](https://github.com/npm/npm/commit/4cd32050c0f89b7f1ae486354fa2c35eea302ba5) [#9002](https://github.com/npm/npm/issues/9002) Updated docs to list the various files that npm automatically includes and excludes, regardless of settings. ([@SimenB](https://github.com/SimenB)) * [`cf09e75`](https://github.com/npm/npm/commit/cf09e754931739af32647d667b671e72a4c79081) [#9022](https://github.com/npm/npm/issues/9022) Document the `"access"` field in `"publishConfig"`. Did you know you don't need to use `--access=public` when publishing scoped packages?! Just put it in your `package.json`! Go refresh yourself on scopes packages by [checking our docs](https://docs.npmjs.com/getting-started/scoped-packages) on them. ([@boennemann](https://github.com/boennemann)) * [`bfd73da`](https://github.com/npm/npm/commit/bfd73da33349cc2afb8278953b2ae16ea95023de) [#9013](https://github.com/npm/npm/issues/9013) fixed typo in changelog ([@radarhere](https://github.com/radarhere)) #### THE SEMVER MAJOR VERSION APOCALYPSE IS UPON US Basically, `semver` is up to `@5`, and that meant we needed to go in an update a bunch of our dependencies manually. `node-gyp` is still pending update, since it's not ours, though! * [`9232e58`](https://github.com/npm/npm/commit/9232e58d54c032c23716ef976023d36a42bfdcc9) [#8972](https://github.com/npm/npm/issues/8972) `init-package-json@1.7.1` ([@othiym23](https://github.com/othiym23)) * [`ba44f6b`](https://github.com/npm/npm/commit/ba44f6b4201a4faee025341b123e372d8f45b6d9) [#8972](https://github.com/npm/npm/issues/8972) `normalize-package-data@2.3.1` ([@othiym23](https://github.com/othiym23)) * [`3901d3c`](https://github.com/npm/npm/commit/3901d3cf191880bb4420b1d6b8aedbcd8fc26cdf) [#8972](https://github.com/npm/npm/issues/8972) `npm-install-checks@1.0.6` ([@othiym23](https://github.com/othiym23)) * [`ffcc7dd`](https://github.com/npm/npm/commit/ffcc7dd12f8bb94ff0f64c465c57e460b3f24a24) [#8972](https://github.com/npm/npm/issues/8972) `npm-package-arg@4.0.2` ([@othiym23](https://github.com/othiym23)) * [`7128f9e`](https://github.com/npm/npm/commit/7128f9ec10c0c8482087511b716dbddb54249626) [#8972](https://github.com/npm/npm/issues/8972) `npm-registry-client@6.5.1` ([@othiym23](https://github.com/othiym23)) * [`af28911`](https://github.com/npm/npm/commit/af28911ecd54a844f848c6ae41887097d6aa2f3b) [#8972](https://github.com/npm/npm/issues/8972) `read-installed@4.0.2` ([@othiym23](https://github.com/othiym23)) * [`3cc817a`](https://github.com/npm/npm/commit/3cc817a0f34f698b580ff6ff02308700efc54f7c) [#8972](https://github.com/npm/npm/issues/8972) node-gyp needs its own version of semver ([@othiym23](https://github.com/othiym23)) * [`f98eccc`](https://github.com/npm/npm/commit/f98eccc6e3a6699ca0aa9ecbad93a3b995583871) [#8972](https://github.com/npm/npm/issues/8972) `semver@5.0.1`: Stop including browser builds. ([@isaacs](https://github.com/isaacs)) #### \*BUMP\* And some other version bumps for good measure. * [`254ecfb`](https://github.com/npm/npm/commit/254ecfb04f026c2fd16427db01a53600c1892c8b) [#8990](https://github.com/npm/npm/issues/8990) `marked-man@0.1.5`: Fixes an issue with documentation rendering where backticks in 2nd-level headers would break rendering (?!?!) ([@steveklabnik](https://github.com/steveklabnik)) * [`79efd79`](https://github.com/npm/npm/commit/79efd79ac216da8cee8636fb2ed926b0196a4eb6) `minimatch@2.0.10`: A pattern like `'*.!(x).!(y)'` should not match a name like `'a.xyz.yab'`. ([@isaacs](https://github.com/isaacs)) * [`39c7dc9`](https://github.com/npm/npm/commit/39c7dc9a4e17cd35a5ed882ba671821c9a900f9e) `request@2.60.0`: A few bug fixes and doc updates. ([@simov](https://github.com/simov)) * [`72d3c3a`](https://github.com/npm/npm/commit/72d3c3a9e1e461608aa21b14c01a650333330da9) `rimraf@2.4.2`: Minor doc and dep updates ([@isaacs](https://github.com/isaacs)) * [`7513035`](https://github.com/npm/npm/commit/75130356a06f5f4fbec3786aac9f9f0b36dfe010) `nock@2.9.1` ([@pgte](https://github.com/pgte)) * [`3d9aa82`](https://github.com/npm/npm/commit/3d9aa82260f0643a32c13d0c1ed16f644b6fd4ab) Fixes this thing where Kat decided to save `nock` as a regular dependency ;) ([@othiym23](https://github.com/othiym23)) ### v3.1.3 (2015-07-17): Rebecca: So Kat, I hear this week's other release uses a dialog between us to explain what changed? Kat: Well, you could say that… Rebecca: I would! This week I fixed more npm@3 bugs! Kat: That sounds familiar. Rebecca: Eheheheh, well, before we look at those, a word from our sponsor… #### BETA IS AS BETA DOES **_THIS IS BETA SOFTWARE_**. Yes, we're still reminding you of this. No, you can't be excused. `npm@3` will remain in beta until we're confident that it's stable and have assessed the effect of the breaking changes on the community. During that time we will still be doing `npm@2` releases, with `npm@2` tagged as `latest` and `next`. We'll _also_ be publishing new releases of `npm@3` as `npm@v3.x-next` and `npm@v3.x-latest` alongside those versions until we're ready to switch everyone over to `npm@3`. We need your help to find and fix its remaining bugs. It's a significant rewrite, so we are _sure_ there still significant bugs remaining. So do us a solid and deploy it in non-critical CI environments and for day-to-day use, but maybe don't use it for production maintenance or frontline continuous deployment just yet. Rebecca: Ok, enough of the dialoguing, that's Kat's schtick. But do remember kids, betas hide in dark hallways waiting to break your stuff, stuff like… #### SO MANY LINKS YOU COULD MAKE A CHAIN * [`6d69ec9`](https://github.com/npm/npm/6d69ec9) [#8967](https://github.com/npm/npm/issues/8967) Removing a module linked into your globals would result in having all of its subdeps removed. Since the npm release process does exactly this, it burned me -every- -single- -week-. =D While we're here, we also removed extraneous warns that used to spill out when you'd remove a symlink. ([@iarna](https://github.com/iarna)) * [`fdb360f`](https://github.com/npm/npm/fdb360f) [#8874](https://github.com/npm/npm/issues/8874) Linking scoped modules was failing outright, but this fixes that and updates our tests so we don't do it again. ([@iarna](https://github.com/iarna)) #### WE'LL TRY NOT TO CRACK YOUR WINDOWS * [`9fafb18`](https://github.com/npm/npm/9fafb18) [#8701](https://github.com/npm/npm/issues/8701) npm@3 introduced permissions checks that run before it actually tries to do something. This saves you from having an install fail half way through. We did this using the shiny new `fs.access` function available in `node 0.12` and `io.js`, with fallback options for older nodes. Unfortunately the way we implemented the fallback caused racey problems for Windows systems. This fixes that by ensuring we only ever run any one check on a directory once. BUT it turns out there are bugs in `fs.access` on Windows. So this ALSO just disables the use of `fs.access` on Windows entirely until that settles out. ([@iarna](https://github.com/iarna)) #### ZOOM ZOOM, DEP UPDATES * [`5656baa`](https://github.com/npm/npm/5656baa) `gauge@1.2.2`: Better handle terminal resizes while printing the progress bar ([@iarna](https://github.com/iarna)) #### MERGED FORWARD * Check out Kat's [super-fresh release notes for v2.13.2](https://github.com/npm/npm/releases/tag/v2.13.2) and see all the changes we ported from npm@2. ### v2.13.2 (2015-07-16): #### HOLD ON TO YOUR TENTACLES... IT'S NPM RELEASE TIME! Kat: Hooray! Full team again, and we've got a pretty small patch release this week, about everyone's favorite recurring issue: git URLs! Rebecca: No Way! Again? Kat: The ride never ends! In the meantime, there's some fun, exciting work in the background to get orgs and teams out the door. Keep an eye out for news. :) Rebecca: And make sure to keep an eye out for patches for the super-fresh `npm@3`! #### LET'S GIT INKY Rebecca: So what's this about another git URL issue? Kat: Welp, I apparently broke backwards-compatibility on what are actually invalid `git+https` URLs! So I'm making it work, but we're gonna deprecate URLs that look like `git+https://user@host:path/is/here`. Rebecca: What should we use instead?! Kat: Just do me a solid and use `git+ssh://user@host:path/here` or `git+https://user@host/absolute/https/path` instead! * [`769f06e`](https://github.com/npm/npm/commit/769f06e5455d7a9fc738379de2e05868df0dab6f) Updated tests for `getResolved` so the URLs are run through `normalize-git-url`. ([@zkat](https://github.com/zkat)) * [`edbae68`](https://github.com/npm/npm/commit/edbae685bf48971e878ced373d6825fc1891ee47) [#8881](https://github.com/npm/npm/issues/8881) Added tests to verify that `git+https:` URLs are handled compatibly. ([@zkat](https://github.com/zkat)) #### NEWS FLASH! DOCUMENTATION IMPROVEMENTS! * [`bad4e014`](https://github.com/npm/npm/commit/bad4e0143cc95754a682f1da543b2b4e196e924b) [#8924](https://github.com/npm/npm/pull/8924) Make sure documented default values in `lib/cache.js` properly correspond to current code. ([@watilde](https://github.com/watilde)) * [`e7a11fd`](https://github.com/npm/npm/commit/e7a11fdf70e333cdfe3dac94a1a30907adb76d59) [#8036](https://github.com/npm/npm/issues/8036) Clarify the documentation for `.npmrc` to clarify that it's not read at the project level when doing global installs. ([@espadrine](https://github.com/espadrine)) #### STAY FRESH~ Kat: That's it for npm core changes! Rebecca: Great! Let's look at the fresh new dependencies, then! Kat: See you all next week! Both: Stay Freeesh~ (some cat form of Forrest can be seen snoring in the corner) * [`bfa1f45`](https://github.com/npm/npm/bfa1f45ee760d05039557d2245b7e3df9fda8def) `normalize-git-url@3.0.1`: Fixes url normalization such that `git+https:` accepts scp syntax, but get converted into absolute-path `https:` URLs. Also fixes scp syntax so you can have absolute paths after the `:` (`git@myhost.org:/some/absolute/place.git`) ([@zkat](https://github.com/zkat)) * [`6f757d2`](https://github.com/npm/npm/6f757d22b53f91da0bebec6b5d16c1f4dbe130b4) `glob@5.0.15`: Better handling of ENOTSUP ([@isaacs](https://github.com/isaacs)) * [`0920819`](https://github.com/npm/npm/09208197fb8b0c6d5dbf6bd7f59970cf366de989) `node-gyp@2.0.2`: Fixes an issue with long paths on Win32 ([@TooTallNate](https://github.com/TooTallNate)) ### v3.1.2 #### SO VERY BETA RELEASE So, `v3.1.1` managed to actually break installing local modules. And then immediately after I drove to an island for the weekend. 😁 So let's get this fixed outside the usual release train! Fortunately it didn't break installing _global_ modules and so you could swap it out for another version at least. #### DISCLAIMER MEANS WHAT IT SAYS **_THIS IS BETA SOFTWARE_**. Yes, we're still reminding you of this. No, you can't be excused. `npm@3` will remain in beta until we're confident that it's stable and have assessed the effect of the breaking changes on the community. During that time we will still be doing `npm@2` releases, with `npm@2` tagged as `latest` and `next`. We'll _also_ be publishing new releases of `npm@3` as `npm@v3.x-next` and `npm@v3.x-latest` alongside those versions until we're ready to switch everyone over to `npm@3`. We need your help to find and fix its remaining bugs. It's a significant rewrite, so we are _sure_ there still significant bugs remaining. So do us a solid and deploy it in non-critical CI environments and for day-to-day use, but maybe don't use it for production maintenance or frontline continuous deployment just yet. #### THIS IS IT, THE REASON * [`f5e19df`](https://github.com/npm/npm/commit/f5e19df) [#8893](https://github.com/npm/npm/issues/8893) Fix crash when installing local modules introduced by the fix for [#8608](https://github.com/npm/npm/issues/8608) ([@iarna](https://github.com/iarna) ### v3.1.1 #### RED EYE RELEASE Rebecca's up too late writing tests, so you can have npm@3 bug fixes! Lots of great new issues from you all! ❤️️ Keep it up! #### YUP STILL BETA, PLEASE PAY ATTENTION **_THIS IS BETA SOFTWARE_**. Yes, we're still reminding you of this. No, you can't be excused. `npm@3` will remain in beta until we're confident that it's stable and have assessed the effect of the breaking changes on the community. During that time we will still be doing `npm@2` releases, with `npm@2` tagged as `latest` and `next`. We'll _also_ be publishing new releases of `npm@3` as `npm@v3.x-next` and `npm@v3.x-latest` alongside those versions until we're ready to switch everyone over to `npm@3`. We need your help to find and fix its remaining bugs. It's a significant rewrite, so we are _sure_ there still significant bugs remaining. So do us a solid and deploy it in non-critical CI environments and for day-to-day use, but maybe don't use it for production maintenance or frontline continuous deployment just yet. #### BOOGS * [`9badfd6`](https://github.com/npm/npm/commit/9babfd63f19f2d80b2d2624e0963b0bdb0d76ef4) [#8608](https://github.com/npm/npm/issues/8608) Make global installs and uninstalls MUCH faster by only reading the directories of modules referred to by arguments. ([@iarna](https://github.com/iarna) * [`075a5f0`](https://github.com/npm/npm/commit/075a5f046ab6837f489b08d44cb601e9fdb369b7) [#8660](https://github.com/npm/npm/issues/8660) Failed optional deps would still result in the optional deps own dependencies being installed. We now find them and fail them out of the tree. ([@iarna](https://github.com/iarna) * [`c9fbbb5`](https://github.com/npm/npm/commit/c9fbbb540083396ea58fd179d81131d959d8e049) [#8863](https://github.com/npm/npm/issues/8863) The "no compatible version found" error message was including only the version requested, not the name of the package we wanted. Ooops! ([@iarna](https://github.com/iarna) * [`32e6bbd`](https://github.com/npm/npm/commit/32e6bbd21744dcbe8c0720ab53f60caa7f2a0588) [#8806](https://github.com/npm/npm/issues/8806) The "uninstall" lifecycle was being run after all of a module's dependencies has been removed. This reverses that order-- this means "uninstall" lifecycles can make use of the package's dependencies. ([@iarna](https://github.com/iarna) #### MERGED FORWARD * Check out the [v2.13.1 release notes](https://github.com/npm/npm/releases/tag/v2.13.1) and see all the changes we ported from npm@2. ### v2.13.1 (2015-07-09): #### KAUAI WAS NICE. I MISS IT. But Forrest's still kinda on vacation, and not just mentally, because he's hanging out with the fine meatbags at CascadiaFest. Enjoy this small bug release. #### MAKE OURSELVES HAPPY * [`40981f2`](https://github.com/npm/npm/commit/40981f2e0c9c12bb003ccf188169afd1d201f5af) [#8862](https://github.com/npm/npm/issues/8862) Make the lifecycle's safety check work with scoped packages. ([@tcort](https://github.com/tcort)) * [`5125856`](https://github.com/npm/npm/commit/512585622481dbbda9a0306932468d59efaff658) [#8855](https://github.com/npm/npm/issues/8855) Make dependency versions of `"*"` match `"latest"` when all versions are prerelease. ([@iarna](https://github.com/iarna)) * [`22fdc1d`](https://github.com/npm/npm/commit/22fdc1d52602ba7098af978c75fca8f7d1060141) Visually emphasize the correct way to write lifecycle scripts. ([@josh-egan](https://github.com/josh-egan)) #### MAKE TRAVIS HAPPY * [`413c3ac`](https://github.com/npm/npm/commit/413c3ac2ab2437f3011c6ca0d1630109ec14e604) Use npm's `2.x` branch for testing its `2.x` branch. ([@iarna](https://github.com/iarna)) * [`7602f64`](https://github.com/npm/npm/commit/7602f64826f7a465d9f3a20bd87a376d992607e6) Don't prompt for GnuPG passphrase in version lifecycle tests. ([@othiym23](https://github.com/othiym23)) #### MAKE `npm outdated` HAPPY * [`d338668`](https://github.com/npm/npm/commit/d338668601d1ebe5247a26237106e80ea8cd7f48) [#8796](https://github.com/npm/npm/issues/8796) `fstream-npm@1.0.4`: When packing the package tarball, npm no longer crashes for packages with certain combinations of `.npmignore` entries, `.gitignore` entries, and lifecycle scripts. ([@iarna](https://github.com/iarna)) * [`dbe7c9c`](https://github.com/npm/npm/commit/dbe7c9c74734be870d16dd61b9e7f746123011f6) `nock@2.7.0`: Add matching based on query strings. ([@othiym23](https://github.com/othiym23)) There are new versions of `strip-ansi` and `ansi-regex`, but npm only uses them indirectly, so we pushed them down into their dependencies where they can get updated at their own pace. * [`06b6ca5`](https://github.com/npm/npm/commit/06b6ca5b5333025f10c8d901628859bd4678e027) undeduplicate `ansi-regex` ([@othiym23](https://github.com/othiym23)) * [`b168e33`](https://github.com/npm/npm/commit/b168e33ad46faf47020a45f72ba8cec8c644bdb9) undeduplicate `strip-ansi` ([@othiym23](https://github.com/othiym23)) ### v3.1.0 (2015-07-02): This has been a brief week of bug fixes, plus some fun stuff merged forward from this weeks 2.x release. See the [2.13.0 release notes](https://github.com/npm/npm/releases/tag/v2.13.0) for details on that. You all have been AWESOME with [all](https://github.com/npm/npm/milestones/3.x) [the](https://github.com/npm/npm/milestones/3.2.0) npm@3 bug reports! Thank you and keep up the great work! #### NEW PLACE, SAME CODE Remember how last week we said `npm@3` would go to `3.0-next` and latest tags? Yeaaah, no, please use `npm@v3.x-next` and `npm@v3.x-latest` going forward. I dunno why we said "suuure, we'll never do a feature release till we're out of beta" when we're still forward porting `npm@2.x` features. `¯\_(ツ)_/¯` If you do accidentally use the old tag names, I'll be maintaining them for a few releases, but they won't be around forever. #### YUP STILL BETA, PLEASE PAY ATTENTION **_THIS IS BETA SOFTWARE_**. `npm@3` will remain in beta until we're confident that it's stable and have assessed the effect of the breaking changes on the community. During that time we will still be doing `npm@2` releases, with `npm@2` tagged as `latest` and `next`. We'll _also_ be publishing new releases of `npm@3` as `npm@v3.x-next` and `npm@v3.x-latest` alongside those versions until we're ready to switch everyone over to `npm@3`. We need your help to find and fix its remaining bugs. It's a significant rewrite, so we are _sure_ there still significant bugs remaining. So do us a solid and deploy it in non-critical CI environments and for day-to-day use, but maybe don't use it for production maintenance or frontline continuous deployment just yet. #### BUGS ON THE WINDOWS * [`0030ade`](https://github.com/npm/npm/commit/0030ade) [#8685](https://github.com/npm/npm/issues/8685) Windows would hang when trying to clone git repos ([@euprogramador](https://github.com/npm/npm/pull/8777)) * [`b259bcc`](https://github.com/npm/npm/commit/b259bcc) [#8786](https://github.com/npm/npm/pull/8786) Windows permissions checks would cause installations to fail under some circumstances. We're disabling the checks entirely for this release. I'm hoping to check back with this next week to get a Windows friendly fix in. ([@iarna](https://github.com/iarna)) #### SO MANY BUGS SQUASHED, JUST CALL US RAID * [`0848698`](https://github.com/npm/npm/commit/0848698) [#8686](https://github.com/npm/npm/pull/8686) Stop leaving progress bar cruft on the screen during publication ([@ajcrites](https://github.com/ajcrites)) * [`57c3cea`](https://github.com/npm/npm/commit/57c3cea) [#8695](https://github.com/npm/npm/pull/8695) Remote packages with shrinkwraps made npm cause node + iojs to explode and catch fire. NO MORE. ([@iarna](https://github.com/iarna)) * [`2875ba3`](https://github.com/npm/npm/commit/2875ba3) [#8723](https://github.com/npm/npm/pull/8723) I uh, told you that engineStrict checking had gone away last week. TURNS OUT I LIED. So this is making that actually be true. ([@iarna](https://github.com/iarna)) * [`28064e5`](https://github.com/npm/npm/commit/28064e5) [#3358](https://github.com/npm/npm/issues/3358) Consistently allow Unicode BOMs at the start of package.json files. Previously this was allowed some of time, like when you were installing modules, but not others, like running npm version or installing w/ `--save`. ([@iarna](https://github.com/iarna)) * [`3cb6ad2`](https://github.com/npm/npm/commit/3cb6ad2) [#8736](https://github.com/npm/npm/issues/8766) npm@3 wasn't running the "install" lifecycle in your current (toplevel) module. This broke modules that relied on C compilation. BOO. ([@iarna](https://github.com/iarna)) * [`68da583`](https://github.com/npm/npm/commit/68da583) [#8766](https://github.com/npm/npm/issues/8766) To my great shame, `npm link package` wasn't working AT ALL if you didn't have `package` already installed. ([@iarna](https://github.com/iarna)) * [`edd7448`](https://github.com/npm/npm/commit/edd7448) read-package-tree@5.0.0: This update makes read-package-tree not explode when there's bad data in your node_modules folder. npm@2 silently ignores this sort of thing. ([@iarna](https://github.com/iarna)) * [`0bb08c8`](https://github.com/npm/npm/commit/0bb08c8) [#8778](https://github.com/npm/npm/pull/8778) RELATEDLY, we now show any errors from your node_modules folder after your installation completes as warnings. We're also reporting these in `npm ls` now. ([@iarna](https://github.com/iarna)) * [`6c248ff`](https://github.com/npm/npm/commit/6c248ff) [#8779](https://github.com/npm/npm/pull/8779) Hey, you know how we used to complain if your `package.json` was missing stuff? Well guess what, we are again. I know, I know, you can thank me later. ([@iarna](https://github.com/iarna)) * [`d6f7c98`](https://github.com/npm/npm/commit/d6f7c98) So, when we were rolling back after errors we had untested code that tried to undo moves. Being untested it turns out it was very broken. I've removed it until we have time to do this right. ([@iarna](https://github.com/iarna)) #### NEW VERSION Just the one. Others came in via the 2.x release. Do check out its changelog, immediately following this message. * [`4e602c5`](https://github.com/npm/npm/commit/4e602c5) lodash@3.2.2 ### v2.13.0 (2015-07-02): #### FORREST IS OUT! LET'S SNEAK IN ALL THE THINGS! Well, not _everything_. Just a couple of goodies, like the new `npm ping` command, and the ability to add files to the commits created by `npm version` with the new version hooks. There's also a couple of bugfixes in `npm` itself and some of its dependencies. Here we go! #### YES HELLO THIS IS NPM REGISTRY SORRY NO DOG HERE Yes, that's right! We now have a dedicated `npm ping` command. It's super simple and super easy. You ping. We tell you whether you pinged right by saying hello right back. This should help out folks dealing with things like proxy issues or other registry-access debugging issues. Give it a shot! This addresses [#5750](https://github.com/npm/npm/issues/5750), and will help with the `npm doctor` stuff described in [#6756](https://github.com/npm/npm/issues/6756). * [`f1f7a85`](https://github.com/npm/npm/commit/f1f7a85) Add ping command to CLI ([@michaelnisi](https://github.com/michaelnisi)) * [`8cec629`](https://github.com/npm/npm/commit/8cec629) Add ping command to npm-registry-client ([@michaelnisi](https://github.com/michaelnisi)) * [`0c0c92d`](https://github.com/npm/npm/0c0c92d) Fixed ping command issues (added docs, tests, fixed minor bugs, etc) ([@zkat](https://github.com/zkat)) #### I'VE WANTED THIS FOR `version` SINCE LIKE LITERALLY FOREVER AND A DAY Seriously! This patch lets you add files to the `version` commit before it's made, So you can add additional metadata files, more automated changes to `package.json`, or even generate `CHANGELOG.md` automatically pre-commit if you're into that sort of thing. I'm so happy this is there I can't even. Do you have other fun usecases for this? Tell [npmbot (@npmjs)](http://twitter.com/npmjs) about it! * [`582f170`](https://github.com/npm/npm/commit/582f170) [#8620](https://github.com/npm/npm/issues/8620) version: Allow scripts to add files to the commit. ([@jamestalmage](https://github.com/jamestalmage)) #### ALL YOUR FILE DESCRIPTORS ARE BELONG TO US We've had problems in the past with things like `EMFILE` errors popping up when trying to install packages with a bunch of dependencies. Isaac patched up [`graceful-fs`](https://github.com/isaacs/node-graceful-fs) to handle this case better, so we should be seeing fewer of those. * [`022691a`](https://github.com/npm/npm/commit/022691a) `graceful-fs@4.1.2`: Updated so we can monkey patch globally. ([@isaacs](https://github.com/isaacs)) * [`c9fb0fd`](https://github.com/npm/npm/commit/c9fb0fd) Globally monkey-patch graceful-fs. This should fix some errors when installing packages with lots of dependencies. ([@isaacs](https://github.com/isaacs)) #### READ THE FINE DOCS. THEY'VE IMPROVED * [`5587d0d`](https://github.com/npm/npm/commit/5587d0d) Nice clarification for `directories.bin` ([@ujane](https://github.com/ujane)) * [`20673c7`](https://github.com/npm/npm/commit/20673c7) Hey, Windows folks! Check out [`nvm-windows`](https://github.com/coreybutler/nvm-windows) ([@ArtskydJ](https://github.com/ArtskydJ)) #### MORE NUMBERS! MORE VALUE! * [`5afa2d5`](https://github.com/npm/npm/commit/5afa2d5) `validate-npm-package-name@2.2.2`: Documented package name rules in README ([@zeusdeux](https://github.com/zeusdeux)) * [`021f4d9`](https://github.com/npm/npm/commit/021f4d9) `rimraf@2.4.1`: [#74](https://github.com/isaacs/rimraf/issues/74) Use async function for bin (to better handle Window's `EBUSY`) ([@isaacs](https://github.com/isaacs)) * [`5223432`](https://github.com/npm/npm/commit/5223432) `osenv@0.1.3`: Use `os.homedir()` polyfill for more reliable output. io.js added the function and the polyfill does a better job than the prior solution. ([@sindresorhus](https://github.com/sindresorhus)) * [`8ebbc90`](https://github.com/npm/npm/commit/8ebbc90) `npm-cache-filename@1.0.2`: Make sure different git references get different cache folders. This should prevent `foo/bar#v1.0` and `foo/bar#master` from sharing the same cache folder. ([@tomekwi](https://github.com/tomekwi)) * [`367b854`](https://github.com/npm/npm/commit/367b854) `lru-cache@2.6.5`: Minor test/typo changes ([@isaacs](https://github.com/isaacs)) * [`9fcae61`](https://github.com/npm/npm/commit/9fcae61) `glob@5.0.13`: Tiny doc change + stop firing 'match' events for ignored items. ([@isaacs](https://github.com/isaacs)) #### OH AND ONE MORE THING * [`7827249`](https://github.com/npm/npm/commit/7827249) `PeerDependencies` errors now include the package version. ([@NickHeiner](https://github.com/NickHeiner)) ### v2.12.1 (2015-06-25): #### HEY WHERE DID EVERYBODY GO I keep [hearing some commotion](https://github.com/npm/npm/releases/tag/v3.0.0). Is there something going on? Like, a party or something? Anyway, here's a small release with at least two significant bug fixes, at least one of which some of you have been waiting for for quite a while. #### REMEMBER WHEN I SAID "REMEMBER WHEN I SAID THAT THING ABOUT PERMISSIONS?"? `npm@2.12.0` has a change that introduces a fix for a permissions problem whereby the `_locks` directory in the cache directory can up being owned by root. The fix in 2.12.0 takes care of that problem, but introduces a new problem for Windows users where npm tries to call `process.getuid()`, which doesn't exist on Windows. It was easy enough to fix (but more or less impossible to test, thanks to all the external dependencies involved with permissions and platforms and whatnot), but as a result, Windows users might want to skip `npm@2.12.0` and go straight to `npm@2.12.1`. Sorry about that! * [`7e5da23`](https://github.com/npm/npm/commit/7e5da238ee869201fdb9027c27b79b0f76b440a8) When using the new, "fixed" cache directory creator, be extra-careful to not call `process.getuid()` on platforms that lack it. ([@othiym23](https://github.com/othiym23)) #### WHEW! ALL DONE FIXING GIT FOREVER! New npm CLI team hero [@zkat](https://github.com/zkat) has finally (FINALLY) fixed the regression somebody (hi!) introduced a couple months ago whereby git URLs of the format `git+ssh://user@githost.com:org/repo.git` suddenly stopped working, and also started being saved (and cached) incorrectly. I am 100% sure there are absolutely no more bugs in the git caching code at all ever. Mm hm. Yep. Pretty sure. Maybe. Hmm... I hope. *Sighs audibly.* [Let us know](http://github.com/npm/npm/issues/new) if we broke something else with this fix. * [`94ca4a7`](https://github.com/npm/npm/commit/94ca4a711619ba8e40ce3d20bc42b13cdb7611b7) [#8031](https://github.com/npm/npm/issues/8031) Even though `git+ssh://user@githost.com:org/repo.git` isn't a URL, treat it like one for the purposes of npm. ([@zkat](https://github.com/zkat)) * [`e7f56e5`](https://github.com/npm/npm/commit/e7f56e5a97fcf1c52d5c5bee71303b0126129815) [#8031](https://github.com/npm/npm/issues/8031) `normalize-git-url@2.0.0`: Handle git URLs (and URL-like remote refs) in a manner consistent with npm's docs. ([@zkat](https://github.com/zkat)) #### YEP, THERE ARE STILL DEPENDENCY UPGRADES * [`679bf47`](https://github.com/npm/npm/commit/679bf4745ac2cfbb01c9ce273e189807fd04fa33) [#40](http://github.com/npm/read-installed/issues/40) `read-installed@4.0.1`: Handle prerelease versions in top-level dependencies not in `package.json` without marking those packages as invalid. ([@benjamn](https://github.com/benjamn)) * [`3a67410`](https://github.com/npm/npm/commit/3a6741068c9119174c920496778aeee870ebdac0) `tap@1.3.1` ([@isaacs](https://github.com/isaacs)) * [`151904a`](https://github.com/npm/npm/commit/151904af39dc24567f8c98529a2a64a4dbcc960a) `nopt@3.0.3` ([@isaacs](https://github.com/isaacs)) ### v3.0.0 (2015-06-25): Wow, it's finally here! This has been a long time coming. We are all delighted and proud to be getting this out into the world, and are looking forward to working with the npm user community to get it production-ready as quickly as possible. `npm@3` constitutes a nearly complete rewrite of npm's installer to be easier to maintain, and to bring a bunch of valuable new features and design improvements to you all. [@othiym23](https://github.com/othiym23) and [@isaacs](https://github.com/isaacs) have been [talking about the changes](http://blog.npmjs.org/post/91303926460/npm-cli-roadmap-a-periodic-update) in this release for well over a year, and it's been the primary focus of [@iarna](https://github.com/iarna) since she joined the team. Given that this is a near-total rewrite, all changes listed here are [@iarna](https://github.com/iarna)'s work unless otherwise specified. #### NO, REALLY, READ THIS PARAGRAPH. IT'S THE IMPORTANT ONE. **_THIS IS BETA SOFTWARE_**. `npm@3` will remain in beta until we're confident that it's stable and have assessed the effect of the breaking changes on the community. During that time we will still be doing `npm@2` releases, with `npm@2` tagged as `latest` and `next`. We'll _also_ be publishing new releases of `npm@3` as `npm@3.0-next` and `npm@3.0-latest` alongside those versions until we're ready to switch everyone over to `npm@3`. We need your help to find and fix its remaining bugs. It's a significant rewrite, so we are _sure_ there still significant bugs remaining. So do us a solid and deploy it in non-critical CI environments and for day-to-day use, but maybe don't use it for production maintenance or frontline continuous deployment just yet. #### BREAKING CHANGES ##### `peerDependencies` `grunt`, `gulp`, and `broccoli` plugin maintainers take note! You will be affected by this change! * [#6930](https://github.com/npm/npm/issues/6930) ([#6565](https://github.com/npm/npm/issues/6565)) `peerDependencies` no longer cause _anything_ to be implicitly installed. Instead, npm will now warn if a packages `peerDependencies` are missing, but it's up to the consumer of the module (i.e. you) to ensure the peers get installed / are included in `package.json` as direct `dependencies` or `devDependencies` of your package. * [#3803](https://github.com/npm/npm/issues/3803) npm also no longer checks `peerDependencies` until after it has fully resolved the tree. This shifts the responsibility for fulfilling peer dependencies from library / framework / plugin maintainers to application authors, and is intended to get users out of the dependency hell caused by conflicting `peerDependency` constraints. npm's job is to keep you _out_ of dependency hell, not put you in it. ##### `engineStrict` * [#6931](https://github.com/npm/npm/issues/6931) The rarely-used `package.json` option `engineStrict` has been deprecated for several months, producing warnings when it was used. Starting with `npm@3`, the value of the field is ignored, and engine violations will only produce warnings. If you, as a user, want strict `engines` field enforcement, just run `npm config set engine-strict true`. As with the peer dependencies change, this is about shifting control from module authors to application authors. It turns out `engineStrict` was very difficult to understand even harder to use correctly, and more often than not just made modules using it difficult to deploy. ##### `npm view` * [`77f1aec`](https://github.com/npm/npm/commit/77f1aec) With `npm view` (aka `npm info`), always return arrays for versions, maintainers, etc. Previously npm would return a plain value if there was only one, and multiple values if there were more. ([@KenanY](https://github.com/KenanY)) #### KNOWN BUGS Again, this is a _**BETA RELEASE**_, so not everything is working just yet. Here are the issues that we already know about. If you run into something that isn't on this list, [let us know](https://github.com/npm/npm/issues/new)! * [#8575](https://github.com/npm/npm/issues/8575) Circular deps will never be removed by the prune-on-uninstall code. * [#8588](https://github.com/npm/npm/issues/8588) Local deps where the dep name and the name in the package.json differ don't result in an error. * [#8637](https://github.com/npm/npm/issues/8637) Modules can install themselves as direct dependencies. npm@2 declined to do this. * [#8660](https://github.com/npm/npm/issues/8660) Dependencies of failed optional dependencies aren't rolled back when the optional dependency is, and then are reported as extraneous thereafter. #### NEW FEATURES ##### The multi-stage installer! * [#5919](https://github.com/npm/npm/issues/5919) Previously the installer had a set of steps it executed for each package and it would immediately start executing them as soon as it decided to act on a package. But now it executes each of those steps at the same time for all packages, waiting for all of one stage to complete before moving on. This eliminates many race conditions and makes the code easier to reason about. This fixes, for instance: * [#6926](https://github.com/npm/npm/issues/6926) ([#5001](https://github.com/npm/npm/issues/5001), [#6170](https://github.com/npm/npm/issues/6170)) `install` and `postinstall` lifecycle scripts now only execute `after` all the module with the script's dependencies are installed. ##### Install: it looks different! You'll now get a tree much like the one produced by `npm ls` that highlights in orange the packages that were installed. Similarly, any removed packages will have their names prefixed by a `-`. Also, `npm outdated` used to include the name of the module in the `Location` field: ``` Package Current Wanted Latest Location deep-equal MISSING 1.0.0 1.0.0 deep-equal glob 4.5.3 4.5.3 5.0.10 rimraf > glob ``` Now it shows the module that required it as the final point in the `Location` field: ``` Package Current Wanted Latest Location deep-equal MISSING 1.0.0 1.0.0 npm glob 4.5.3 4.5.3 5.0.10 npm > rimraf ``` Previously the `Location` field was telling you where the module was on disk. Now it tells you what requires the module. When more than one thing requires the module you'll see it listed once for each thing requiring it. ##### Install: it works different! * [#6928](https://github.com/npm/npm/issues/6928) ([#2931](https://github.com/npm/npm/issues/2931) [#2950](https://github.com/npm/npm/issues/2950)) `npm install` when you have an `npm-shrinkwrap.json` will ensure you have the modules specified in it are installed in exactly the shape specified no matter what you had when you started. * [#6913](https://github.com/npm/npm/issues/6913) ([#1341](https://github.com/npm/npm/issues/1341) [#3124](https://github.com/npm/npm/issues/3124) [#4956](https://github.com/npm/npm/issues/4956) [#6349](https://github.com/npm/npm/issues/6349) [#5465](https://github.com/npm/npm/issues/5465)) `npm install` when some of your dependencies are missing sub-dependencies will result in those sub-dependencies being installed. That is, `npm install` now knows how to fix broken installs, most of the time. * [#5465](https://github.com/npm/npm/issues/5465) If you directly `npm install` a module that's already a subdep of something else and your new version is incompatible, it will now install the previous version nested in the things that need it. * [`a2b50cf`](https://github.com/npm/npm/commit/a2b50cf) [#5693](https://github.com/npm/npm/issues/5693) When installing a new module, if it's mentioned in your `npm-shrinkwrap.json` or your `package.json` use the version specifier from there if you didn't specify one yourself. ##### Flat, flat, flat! Your dependencies will now be installed *maximally flat*. Insofar as is possible, all of your dependencies, and their dependencies, and THEIR dependencies will be installed in your project's `node_modules` folder with no nesting. You'll only see modules nested underneath one another when two (or more) modules have conflicting dependencies. * [#3697](https://github.com/npm/npm/issues/3697) This will hopefully eliminate most cases where windows users ended up with paths that were too long for Explorer and other standard tools to deal with. * [#6912](https://github.com/npm/npm/issues/6912) ([#4761](https://github.com/npm/npm/issues/4761) [#4037](https://github.com/npm/npm/issues/4037)) This also means that your installs will be deduped from the start. * [#5827](https://github.com/npm/npm/issues/5827) This deduping even extends to git deps. * [#6936](https://github.com/npm/npm/issues/6936) ([#5698](https://github.com/npm/npm/issues/5698)) Various commands are dedupe aware now. This has some implications for the behavior of other commands: * `npm uninstall` removes any dependencies of the module that you specified that aren't required by any other module. Previously, it would only remove those that happened to be installed under it, resulting in left over cruft if you'd ever deduped. * `npm ls` now shows you your dependency tree organized around what requires what, rather than where those modules are on disk. * [#6937](https://github.com/npm/npm/issues/6937) `npm dedupe` now flattens the tree in addition to deduping. And bundling of dependencies when packing or publishing changes too: * [#2442](https://github.com/npm/npm/issues/2442) bundledDependencies no longer requires that you specify deduped sub deps. npm can now see that a dependency is required by something bundled and automatically include it. To put that another way, bundledDependencies should ONLY include things that you included in dependencies, optionalDependencies or devDependencies. * [#5437](https://github.com/npm/npm/issues/5437) When bundling a dependency that's both a `devDependency` and the child of a regular `dependency`, npm bundles the child dependency. As a demonstration of our confidence in our own work, npm's own dependencies are now flattened, deduped, and bundled in the `npm@3` style. This means that `npm@3` can't be packed or published by `npm@2`, which is something to be aware of if you're hacking on npm. ##### Shrinkwraps: they are a-changin'! First of all, they should be idempotent now ([#5779](https://github.com/npm/npm/issues/5779)). No more differences because the first time you install (without `npm-shrinkwrap.json`) and the second time (with `npm-shrinkwrap.json`). * [#6781](https://github.com/npm/npm/issues/6781) Second, if you save your changes to `package.json` and you have `npm-shrinkwrap.json`, then it will be updated as well. This applies to all of the commands that update your tree: * `npm install --save` * `npm update --save` * `npm dedupe --save` ([#6410](https://github.com/npm/npm/issues/6410)) * `npm uninstall --save` * [#4944](https://github.com/npm/npm/issues/4944) ([#5161](https://github.com/npm/npm/issues/5161) [#5448](https://github.com/npm/npm/issues/5448)) Third, because `node_modules` folders are now deduped and flat, shrinkwrap has to also be smart enough to handle this. And finally, enjoy this shrinkwrap bug fix: * [#3675](https://github.com/npm/npm/issues/3675) When shrinkwrapping a dependency that's both a `devDependency` and the child of a regular `dependency`, npm now correctly includes the child. ##### The Age of Progress (Bars)! * [#6911](https://github.com/npm/npm/issues/6911) ([#1257](https://github.com/npm/npm/issues/1257) [#5340](https://github.com/npm/npm/issues/5340) [#6420](https://github.com/npm/npm/issues/6420)) The spinner is gone (yay? boo? will you miss it?), and in its place npm has _progress bars_, so you actually have some sense of how long installs will take. It's provided in Unicode and non-Unicode variants, and Unicode support is automatically detected from your environment. #### TINY JEWELS The bottom is where we usually hide the less interesting bits of each release, but each of these are small but incredibly useful bits of this release, and very much worth checking out: * [`9ebe312`](https://github.com/npm/npm/commit/9ebe312) Build system maintainers, rejoice: npm does a better job of cleaning up after itself in your temporary folder. * [#6942](https://github.com/npm/npm/issues/6942) Check for permissions issues prior to actually trying to install anything. * Emit warnings at the end of the installation when possible, so that they'll be on your screen when npm stops. * [#3505](https://github.com/npm/npm/issues/3505) `npm --dry-run`: You can now ask that npm only report what it _would have done_ with the new `--dry-run` flag. This can be passed to any of the commands that change your `node_modules` folder: `install`, `uninstall`, `update` and `dedupe`. * [`81b46fb`](https://github.com/npm/npm/commit/81b46fb) npm now knows the correct URLs for `npm bugs` and `npm repo` for repositories hosted on Bitbucket and GitLab, just like it does for GitHub (and GitHub support now extends to projects hosted as gists as well as traditional repositories). * [`5be4008a`](https://github.com/npm/npm/commit/5be4008a09730cfa3891d9f145e4ec7f2accd144) npm has been cleaned up to pass the [`standard`](http://npm.im/standard) style checker. Forrest and Rebecca both feel this makes it easier to read and understand the code, and should also make it easier for new contributors to put merge-ready patches. ([@othiym23](https://github.com/othiym23)) #### ZARRO BOOGS * [`6401643`](https://github.com/npm/npm/commit/6401643) Make sure the global install directory exists before installing to it. ([@thefourtheye](https://github.com/thefourtheye)) * [#6158](https://github.com/npm/npm/issues/6158) When we remove modules we do so inside-out running unbuild for each one. * [`960a765`](https://github.com/npm/npm/commit/960a765) The short usage information for each subcommand has been brought in sync with the documentation. ([@smikes](https://github.com/smikes)) ### v2.12.0 (2015-06-18): #### REMEMBER WHEN I SAID THAT THING ABOUT PERMISSIONS? About [a million people](https://github.com/npm/npm/issues?utf8=%E2%9C%93&q=is%3Aissue+EACCES+_locks) have filed issues related to having a tough time using npm after they've run npm once or twice with sudo. "Don't worry about it!" I said. "We've fixed all those permissions problems ages ago! Use this one weird trick and you'll never have to deal with this again!" Well, uh, if you run npm with root the first time you run npm on a machine, it turns out that the directory npm uses to store lockfiles ends up being owned by the wrong user (almost always root), and that can, well, it can cause problems sometimes. By which I mean every time you run npm without being root it'll barf with `EACCES` errors. Whoops! This is an obnoxious regression, and to prevent it from recurring, we've made it so that the cache, cached git remotes, and the lockfile directories are all created and maintained using the same utilty module, which not only creates the relevant paths with the correct permissions, but will fix the permissions on those directories (if it can) when it notices that they're broken. An `npm install` run as root ought to be sufficient to fix things up (and if that doesn't work, first tell us about it, and then run `sudo chown -R $(whoami) $HOME/.npm`) Also, I apologize for inadvertently gaslighting any of you by claiming this bug wasn't actually a bug. I do think we've got this permanently dealt with now, but I'll be paying extra-close attention to permissions issues related to the cache for a while. * [`85d1a53`](https://github.com/npm/npm/commit/85d1a53d7b5e0fc04823187e522ae3711ede61fa) Set permissions on lock directory to the owner of the process. ([@othiym23](https://github.com/othiym23)) #### I WENT TO NODECONF AND ALL I GOT WAS THIS LOUSY SPDX T-SHIRT That's not literally true. We spent very little time discussing SPDX, [@kemitchell](https://github.com/kemitchell) is a champ, and I had a lot of fun playing drum & bass to a mostly empty Boogie Barn and only ended up with one moderately severe cold for my pains. Another winner of a NodeConf! (I would probably wear a SPDX T-shirt if somebody gave me one, though.) A bunch of us did have a spirited discussion of the basics of open-source intellectual property, and the convergence of me, [@kemitchell](https://github.com/kemitchell), and [@jandrieu](https://github.com/jandrieu) in one place allowed us to hammmer out a small but significant issue that had been bedeviling early adopters of the new SPDX expression syntax in `package.json` license fields: how to deal with packages that are left without a license on purpose. Refer to [the docs](https://github.com/npm/npm/blob/16a3dd545b10f8a2464e2037506ce39124739b41/doc/files/package.json.md#license) for the specifics, but the short version is that instead of using `LicenseRef-LICENSE` for proprietary licenses, you can now use either `UNLICENSED` if you want to make it clear that you don't _want_ your software to be licensed (and want npm to stop warning you about this), or `SEE LICENSE IN ` if there's a license with custom text you want to use. At some point in the near term, we'll be updating npm to verify that the mentioned file actually exists, but for now you're all on the honor system. * [`4827fc7`](https://github.com/npm/npm/commit/4827fc784117c17f35dd9b51b21d1eff6094f661) [#8557](https://github.com/npm/npm/issues/8557) `normalize-package-data@2.2.1`: Allow `UNLICENSED` and `SEE LICENSE IN ` in "license" field of `package.json`. ([@kemitchell](https://github.com/kemitchell)) * [`16a3dd5`](https://github.com/npm/npm/commit/16a3dd545b10f8a2464e2037506ce39124739b41) [#8557](https://github.com/npm/npm/issues/8557) Document the new accepted values for the "license" field. ([@kemitchell](https://github.com/kemitchell)) * [`8155311`](https://github.com/npm/npm/commit/81553119350deaf199e79e38e35b52a5c8ad206c) [#8557](https://github.com/npm/npm/issues/8557) `init-package-json@1.7.0`: Support new "license" field values at init time. ([@kemitchell](https://github.com/kemitchell)) #### SMALLISH BUG FIXES * [`9d8cac9`](https://github.com/npm/npm/commit/9d8cac94a258db648a2b1069b1c8c6529c79d013) [#8548](https://github.com/npm/npm/issues/8548) Remove extraneous newline from `npm view` output, making it easier to use in shell scripts. ([@eush77](https://github.com/eush77)) * [`765fd4b`](https://github.com/npm/npm/commit/765fd4bfca8ea3e2a4a399765b17eec40a3d893d) [#8521](https://github.com/npm/npm/issues/8521) When checking for outdated packages, or updating packages, raise an error when the registry is unreachable instead of silently "succeeding". ([@ryantemple](https://github.com/ryantemple)) #### SMALLERISH DOCUMENTATION TWEAKS * [`5018335`](https://github.com/npm/npm/commit/5018335ce1754a9f771954ecbc1a93acde9b8c0a) [#8365](https://github.com/npm/npm/issues/8365) Add details about which git environment variables are whitelisted by npm. ([@nmalaguti](https://github.com/nmalaguti)) * [`bed9edd`](https://github.com/npm/npm/commit/bed9edddfdcc6d22a80feab33b53e4ef9172ec72) [#8554](https://github.com/npm/npm/issues/8554) Fix typo in version docs. ([@rainyday](https://github.com/rainyday)) #### WELL, I GUESS THERE ARE MORE DEPENDENCY UPGRADES * [`7ce2f06`](https://github.com/npm/npm/commit/7ce2f06f6f34d469b1d2e248084d4f3fef10c05e) `request@2.58.0`: Refactor tunneling logic, and use `extend` instead of abusing `util._extend`. ([@simov](https://github.com/simov)) * [`e6c6195`](https://github.com/npm/npm/commit/e6c61954aad42e20eec49745615c7640b2026a6c) `nock@2.6.0`: Refined interception behavior. ([@pgte](https://github.com/pgte)) * [`9583cc3`](https://github.com/npm/npm/commit/9583cc3cb192c2fced006927cfba7cd37b588605) `fstream-npm@1.0.3`: Ensure that `main` entry in `package.json` is always included in the bundled package tarball. ([@coderhaoxin](https://github.com/coderhaoxin)) * [`df89493`](https://github.com/npm/npm/commit/df894930f2716adac28740b29b2e863170919990) `fstream@1.0.7` ([@isaacs](https://github.com/isaacs)) * [`9744049`](https://github.com/npm/npm/commit/974404934758124aa8ae5b54f7d5257c3bd6b588) `dezalgo@1.0.3`: `dezalgo` should be usable in the browser, and can be now that `asap` has been upgraded to be browserifiable. ([@mvayngrib](https://github.com/mvayngrib)) ### v2.11.3 (2015-06-11): This was a very quiet week. This release was done by [@iarna](https://github.com/iarna), while the rest of the team hangs out at NodeConf Adventure! #### TESTS IN 0.8 FAIL LESS * [`5b3b3c2`](https://github.com/npm/npm/commit/5b3b3c2) [#8491](//github.com/npm/npm/pull/8491) Updates a test to use only 0.8 compatible features ([@watilde](https://github.com/watilde)) #### THE TREADMILL OF UPDATES NEVER CEASES * [`9f439da`](https://github.com/npm/npm/commit/9f439da) `spdx@0.4.1`: License range updates ([@kemitchell](https://github.com/kemitchell)) * [`2dd055b`](https://github.com/npm/npm/commit/2dd055b) `normalize-package-data@2.2.1`: Fixes a crashing bug when the package.json `scripts` property is not an object. ([@iarna](https://github.com/iarna)) * [`e02e85d`](https://github.com/npm/npm/commit/e02e85d) `osenv@0.1.2`: Switches to using the `os-tmpdir` module instead of `os.tmpdir()` for greate consistency in behavior between node versions. ([@iarna](https://github.com/iarna)) * [`a6f0265`](https://github.com/npm/npm/commit/a6f0265) `ini@1.3.4` ([@isaacs](https://github.com/isaacs)) * [`7395977`](https://github.com/npm/npm/commit/7395977) `rimraf@2.4.0` ([@isaacs](https://github.com/isaacs)) ### v2.11.2 (2015-06-04): Another small release this week, brought to you by the latest addition to the CLI team, [@zkat](https://github.com/zkat) (Hi, all!) Mostly small documentation tweaks and version updates. Oh! And `npm outdated` is actually sorted now. Rejoice! It's gonna be a while before we get another palindromic version number. Enjoy it while it lasts. :3 #### QUALITY OF LIFE HAS NEVER BEEN BETTER * [`31aada4`](https://github.com/npm/npm/commit/31aada4ccc369c0903ff7f233f464955d12c6fe2) [#8401](https://github.com/npm/npm/issues/8401) `npm outdated` output is just that much nicer to consume now, due to sorting by name. ([@watilde](https://github.com/watilde)) * [`458a919`](https://github.com/npm/npm/commit/458a91925d8b20c5e672ba71a86745aad654abaf) [#8469](https://github.com/npm/npm/pull/8469) Explicitly set `cwd` for `preversion`, `version`, and `postversion` scripts. This makes the scripts findable relative to the root dir. ([@alexkwolfe](https://github.com/alexkwolfe)) * [`55d6d71`](https://github.com/npm/npm/commit/55d6d71562e979e745c9db88861cc39f99b9f3ec) Ensure package name and version are included in display during `npm version` lifecycle execution. Gets rid of those little `undefined`s in the console. ([@othiym23](https://github.com/othiym23)) #### WORDS HAVE NEVER BEEN QUITE THIS READABLE * [`3901e49`](https://github.com/npm/npm/commit/3901e4974c800e7f9fba4a5b2ff88da1126d5ef8) [#8462](https://github.com/npm/npm/pull/8462) English apparently requires correspondence between indefinite articles and attached nouns. ([@Enet4](https://github.com/Enet4)) * [`5a744e4`](https://github.com/npm/npm/commit/5a744e4b143ef7b2f50c80a1d96fdae4204d452b) [#8421](https://github.com/npm/npm/pull/8421) The effect of `npm prune`'s `--production` flag and how to use it have been documented a bit better. ([@foiseworth](https://github.com/foiseworth)) * [`eada625`](https://github.com/npm/npm/commit/eada625993485f0a2c5324b06f02bfa0a95ce4bc) We've updated our `.mailmap` and `AUTHORS` files to make sure credit is given where credit is due. ([@othiym23](https://github.com/othiym23)) #### VERSION NUMBERS HAVE NEVER BEEN BIGGER * [`c929fd1`](https://github.com/npm/npm/commit/c929fd1d0604b5878ed05706447e078d3e41f5b3) `readable-stream@1.1.13`: Manually deduped `v1.1.13` (streams3) to make deduping more reliable on `npm@<3`. ([@othiym23](https://github.com/othiym23)) * [`a9b4b78`](https://github.com/npm/npm/commit/a9b4b78dcc85571fd1cdd737903f7f37a5e6a755) `request@2.57.0`: Replace dependency on IncomingMessage's `.client` with `.socket` as the former was deprecated in io.js 2.2.0. ([@othiym23](https://github.com/othiym23)) * [`4b5e557`](https://github.com/npm/npm/commit/4b5e557a23cdefd521ad154111e3d4dcc81f1cdb) `abbrev@1.0.7`: Better testing, with coverage. ([@othiym23](https://github.com/othiym23)) * [`561affe`](https://github.com/npm/npm/commit/561affee21df9bbea5a47298f2452f533be8f359) `semver@4.3.6`: .npmignore added for less cruft, and better testing, with coverage. ([@othiym23](https://github.com/othiym23)) * [`60aef3c`](https://github.com/npm/npm/commit/60aef3cf5d84d757752db3eb8ede2cb385469e7b) `graceful-fs@3.0.8`: io.js fixes. ([@zkat](https://github.com/zkat)) * [`f8bd453`](https://github.com/npm/npm/commit/f8bd453b1a1c46ba7666cb166595e8a011eae443) `config-chain@1.1.9`: Added MIT license to package.json ([@zkat](https://github.com/zkat)) ### v2.11.1 (2015-05-28): This release brought to you from poolside at the Omni Amelia Island Resort and JSConf 2015, which is why it's so tiny. #### CONFERENCE WIFI CAN'T STOP THESE BUG FIXES * [`cf109a6`](https://github.com/npm/npm/commit/cf109a682f38a059a994da953d5c1b4aaece5e2f) [#8381](https://github.com/npm/npm/issues/8381) Documented a subtle gotcha with `.npmrc`, which is that it needs to have its permissions set such that only the owner can read or write the file. ([@colakong](https://github.com/colakong)) * [`180da67`](https://github.com/npm/npm/commit/180da67c9fa53103d625e2f031626c2453c7ebcd) [#8365](https://github.com/npm/npm/issues/8365) Git 2.3 adds support for `GIT_SSH_COMMAND`, which allows you to pass an explicit git command (with, for example, a specific identity passed in on the command line). ([@nmalaguti](https://github.com/nmalaguti)) #### MY (VIRGIN) PINA COLADA IS GETTING LOW, BETTER UPGRADE THESE DEPENDENCIES * [`b72de41`](https://github.com/npm/npm/commit/b72de41c5cc9f0c46d3fa8f062c75bd273641474) `node-gyp@2.0.0`: Use a newer version of `gyp`, and generally improve support for Visual Studios and Windows. ([@TooTallNate](https://github.com/TooTallNate)) * [`8edbe21`](https://github.com/npm/npm/commit/8edbe210af41e8f248f5bb92c72de92f54fda3b1) `node-gyp@2.0.1`: Don't crash when Python's version doesn't parse as valid semver. ([@TooTallNate](https://github.com/TooTallNate)) * [`ba0e0a8`](https://github.com/npm/npm/commit/ba0e0a845a4f29717aba566b416a27d1a22f5d08) `glob@5.0.10`: Add coverage to tests. ([@isaacs](https://github.com/isaacs)) * [`7333701`](https://github.com/npm/npm/commit/7333701b5d4f01673f37d64992c63c4e15864d6d) `request@2.56.0`: Bug fixes and dependency upgrades. ([@simov](https://github.com/simov)) ### v2.11.0 (2015-05-21): For the first time in a very long time, we've added new events to the life cycle used by `npm run-script`. Since running `npm version (major|minor|patch)` is typically the last thing many developers do before publishing their updated packages, it makes sense to add life cycle hooks to run tests or otherwise preflight the package before doing a full publish. Thanks, as always, to the indefatigable [@watilde](https://github.com/watilde) for yet another great usability improvement for npm! #### FEATURELETS * [`b07f7c7`](https://github.com/npm/npm/commit/b07f7c7c1e5021730b3c320f1b3a46e70f8a21ff) [#7906](https://github.com/npm/npm/issues/7906) Add new [`scripts`](https://github.com/npm/npm/blob/master/doc/misc/npm-scripts.md) to allow you to run scripts before and after the [`npm version`](https://github.com/npm/npm/blob/master/doc/cli/npm-version.md) command has run. This makes it easy to, for instance, require that your test suite passes before bumping the version by just adding `"preversion": "npm test"` to the scripts section of your `package.json`. ([@watilde](https://github.com/watilde)) * [`8a46136`](https://github.com/npm/npm/commit/8a46136f42e416cbadb533bcf89d73d681ed421d) [#8185](https://github.com/npm/npm/issues/8185) When we get a "not found" error from the registry, we'll now check to see if the package name you specified is invalid and if so, give you a better error message. ([@thefourtheye](https://github.com/thefourtheye)) #### BUG FIXES * [`9bcf573`](https://github.com/npm/npm/commit/9bcf5730bd0316f210dafea898afe9103849cea9) [#8324](https://github.com/npm/npm/pull/8324) On Windows, when you've configured a custom `node-gyp`, run it with node itself instead of using the default open action (which is almost never what you want). ([@bangbang93](https://github.com/bangbang93)) * [`1da9b04`](https://github.com/npm/npm/commit/1da9b0411d3416c7fca17d08cbbcfca7ae86e92d) [#7195](https://github.com/npm/npm/issues/7195) [#7260](https://github.com/npm/npm/issues/7260) `npm-registry-client@6.4.0`: (Re-)allow publication of existing mixed-case packages (part 1). ([@smikes](https://github.com/smikes)) * [`e926783`](https://github.com/npm/npm/commit/e9267830ab261c751f12723e84d2458ae9238646) [#7195](https://github.com/npm/npm/issues/7195) [#7260](https://github.com/npm/npm/issues/7260) `normalize-package-data@2.2.0`: (Re-)allow publication of existing mixed-case packages (part 2). ([@smikes](https://github.com/smikes)) #### DOCUMENTATION IMPROVEMENTS * [`f62ee05`](https://github.com/npm/npm/commit/f62ee05333b141539a8e851c620dd2e82ff06860) [#8314](https://github.com/npm/npm/issues/8314) Update the README to warn folks away from using the CLI's internal API. For the love of glob, just use a child process to run the CLI! ([@claycarpenter](https://github.com/claycarpenter)) * [`1093921`](https://github.com/npm/npm/commit/1093921c04db41ab46db24a170a634a4b2acd8d9) [#8279](https://github.com/npm/npm/pull/8279) Update the documentation to note that, yes, you can publish scoped packages to the public registry now! ([@mantoni](https://github.com/mantoni)) * [`f87cde5`](https://github.com/npm/npm/commit/f87cde5234a760d3e515ffdaacaed6f5b71dbf44) [#8292](https://github.com/npm/npm/pull/8292) Fix typo in an example and grammar in the description in the [shrinkwrap documentation](https://github.com/npm/npm/blob/master/doc/cli/npm-shrinkwrap.md). ([@vshih](https://github.com/vshih)) * [`d3526ce`](https://github.com/npm/npm/commit/d3526ceb09a0c29fdb7d4124536ae09057d033e7) Improve the formatting in the [shrinkwrap documentation](https://github.com/npm/npm/blob/master/doc/cli/npm-shrinkwrap.md). ([@othiym23](https://github.com/othiym23)) * [`19fe6d2`](https://github.com/npm/npm/commit/19fe6d20883e28956ff916fe4dae42d73ee6195b) [#8311](https://github.com/npm/npm/pull/8311) Update [README.md](https://github.com/npm/npm#readme) to use syntax highlighting in its code samples and bits of shell scripts. ([@SimenB](https://github.com/SimenB)) #### DEPENDENCY UPDATES! ALWAYS AND FOREVER! * [`fc52160`](https://github.com/npm/npm/commit/fc52160d0223226fffe4166f42fdfd3b899b3c1e) [#4700](https://github.com/npm/npm/issues/4700) [#5044](https://github.com/npm/npm/issues/5044) `init-package-json@1.6.0`: Make entering an invalid version while running `npm init` give you an immediate error and prompt you to correct it. ([@watilde](https://github.com/watilde)) * [`738853e`](https://github.com/npm/npm/commit/738853eb1f55636476a2a410c2c04732eec9d51e) [#7763](https://github.com/npm/npm/issues/7763) `fs-write-stream-atomic@1.0.3`: Fix a bug where errors would not propagate, making error messages unhelpful. ([@iarna](https://github.com/iarna)) * [`6d74a2d`](https://github.com/npm/npm/commit/6d74a2d2ac7f92750cf6a2cfafae1af23b569098) `npm-package-arg@4.0.1`: Fix tests on windows ([@Bacra](https://github.com)) and with more recent `hosted-git-info`. ([@iarna](https://github.com/iarna)) * [`50f7178`](https://github.com/npm/npm/commit/50f717852fbf713ef6cbc4e0a9ab42657decbbbd) `hosted-git-info@2.1.4`: Correct spelling in its documentation. ([@iarna](https://github.com/iarna)) * [`d7956ca`](https://github.com/npm/npm/commit/d7956ca17c057d5383ff0d3fc5cf6ac2940b034d) `glob@5.0.7`: Fix a bug where unusual error conditions could make further use of the module fail. ([@isaacs](https://github.com/isaacs)) * [`44f7d74`](https://github.com/npm/npm/commit/44f7d74c5d3181d37da7ea7949c86b344153f8d9) `tap@1.1.0`: Update to the most recent tap to get a whole host of bug fixes and integration with [coveralls](https://coveralls.io/). ([@isaacs](https://github.com/isaacs)) * [`c21e8a8`](https://github.com/npm/npm/commit/c21e8a8d94bcf0ad79dc583ddc53f8366d4813b3) `nock@2.2.0` ([@othiym23](https://github.com/othiym23)) #### LICENSE FILES FOR THE LICENSE GOD * Add missing ISC license file to package ([@kasicka](https://github.com/kasicka)): * [`aa9908c`](https://github.com/npm/npm/commit/aa9908c20017729673b9d410b77f9a16b7aae8a4) `realize-package-specifier@3.0.1` * [`23a3b1a`](https://github.com/npm/npm/commit/23a3b1a726b9176c70ce0ccf3cd9d25c54429bdf) `fs-vacuum@1.2.6` * [`8e04bba`](https://github.com/npm/npm/commit/8e04bba830d4353d84751d21803cd127c96153a7) `dezalgo@1.0.2` * [`50f7178`](https://github.com/npm/npm/commit/50f717852fbf713ef6cbc4e0a9ab42657decbbbd) `hosted-git-info@2.1.4` * [`6a54917`](https://github.com/npm/npm/commit/6a54917fbd4df995495a95d4b548defd44b77c93) `write-file-atomic@1.1.2` * [`971f92c`](https://github.com/npm/npm/commit/971f92c4a4e5514217d1e4db45d1ccf71a60ff19) `async-some@1.0.2` * [`67b50b7`](https://github.com/npm/npm/commit/67b50b7667a42bb3340a660eb2e617e1a554d2d4) `normalize-git-url@1.0.1` #### SPDX LICENSE UPDATES * Switch license to [BSD-2-Clause](http://spdx.org/licenses/BSD-2-Clause.html#licenseText) from plain "BSD" ([@isaacs](https://github.com/isaacs)): * [`efdb733`](https://github.com/npm/npm/commit/efdb73332eeedcad4c609796929070b62abb37ab) `npm-user-validate@0.1.2` * [`e926783`](https://github.com/npm/npm/commit/e9267830ab261c751f12723e84d2458ae9238646) `normalize-package-data@2.2.0` * Switch license to [ISC](http://spdx.org/licenses/ISC.html#licenseText) from [BSD](http://spdx.org/licenses/BSD-2-Clause.html#licenseText) ([@isaacs](https://github.com/isaacs)): * [`c300956`](https://github.com/npm/npm/commit/c3009565a964f0ead4ac4ab234b1a458e2365f17) `block-stream@0.0.8` * [`1de1253`](https://github.com/npm/npm/commit/1de125355765fecd31e682ed0ff9d2edbeac0bb0) `lockfile@1.0.1` * [`0d5698a`](https://github.com/npm/npm/commit/0d5698ab132e376c7aec93ae357c274932116220) `osenv@0.1.1` * [`2e84921`](https://github.com/npm/npm/commit/2e84921474e1ffb18de9fce4616e73171fa8046d) `abbrev@1.0.6` * [`872fac9`](https://github.com/npm/npm/commit/872fac9d10c11607e4d0348c08a683b84e64d30b) `chmodr@0.1.1` * [`01eb7f6`](https://github.com/npm/npm/commit/01eb7f60acba584346ad8aae846657899f3b6887) `chownr@0.0.2` * [`294336f`](https://github.com/npm/npm/commit/294336f0f31c7b9fe31a50075ed750db6db134d1) `read@1.0.6` * [`ebdf6a1`](https://github.com/npm/npm/commit/ebdf6a14d17962cdb7128402c53b452f91d44ca7) `graceful-fs@3.0.7` * Switch license to [ISC](http://spdx.org/licenses/ISC.html#licenseText) from [MIT](http://spdx.org/licenses/MIT.html#licenseText) ([@isaacs](https://github.com/isaacs)): * [`e5d237f`](https://github.com/npm/npm/commit/e5d237fc0f436dd2a89437ebf8a9632a2e35ccbe) `nopt@3.0.2` * [`79fef14`](https://github.com/npm/npm/commit/79fef1421b78f044980f0d1bf0e97039b6992710) `rimraf@2.3.4` * [`22527da`](https://github.com/npm/npm/commit/22527da4816e7c2746cdc0317c5fb4a85152d554) `minimatch@2.0.8` * [`882ac87`](https://github.com/npm/npm/commit/882ac87a6c4123ca985d7ad4394ea5085e5b0ef5) `lru-cache@2.6.4` * [`9d9d015`](https://github.com/npm/npm/commit/9d9d015a2e972f68664dda54fbb204db28b21ede) `npmlog@1.2.1` ### v2.10.1 (2015-05-14): #### BUG FIXES & DOCUMENTATION TWEAKS * [`dc77520`](https://github.com/npm/npm/commit/dc7752013ffce13a3d3f13e518a0052c22fc1158) When getting back a 404 from a request to a private registry that uses a registry path that extends past the root (`http://registry.enterprise.co/path/to/registry`), display the name of the nonexistent package, rather than the first element in the registry API path. Sorry, Artifactory users! ([@hayes](https://github.com/hayes)) * [`f70dea9`](https://github.com/npm/npm/commit/f70dea9b4766f6eaa55012c3e8087e9cb04fd4ce) Make clearer that `--registry` can be used on a per-publish basis to push a package to a non-default registry. ([@mischkl](https://github.com/mischkl)) * [`a3e26f5`](https://github.com/npm/npm/commit/a3e26f5b4465991a941a325468ab7725670d2a94) Did you know that GitHub shortcuts can have commit-ishes included (`org/repo#branch`)? They can! ([@iarna](https://github.com/iarna)) * [`0e2c091`](https://github.com/npm/npm/commit/0e2c091a539b61fdc60423b6bbaaf30c24e4b1b8) Some errors from `readPackage` were being swallowed, potentially leading to invalid package trees on disk. ([@smikes](https://github.com/smikes)) #### DEPENDENCY UPDATES! STILL! MORE! AGAIN! * [`0b901ad`](https://github.com/npm/npm/commit/0b901ad0811d84dda6ca0755a9adc8d47825edd0) `lru-cache@2.6.3`: Removed some cruft from the published package. ([@isaacs](https://github.com/isaacs)) * [`d713e0b`](https://github.com/npm/npm/commit/d713e0b14930c563e3fdb6ac6323bae2a8924652) `mkdirp@0.5.1`: Made compliant with `standard`, dropped support for Node 0.6, added (Travis) support for Node 0.12 and io.js. ([@isaacs](https://github.com/isaacs)) * [`a2d6578`](https://github.com/npm/npm/commit/a2d6578b6554c5c9d48fe2006751759f4da57520) `glob@1.0.3`: Updated to use `tap@1`. ([@isaacs](https://github.com/isaacs)) * [`64cd1a5`](https://github.com/npm/npm/commit/64cd1a570aaa5f24ccba190948ec9456297c97f5) `fstream@ 1.0.6`: Made compliant with [`standard`](http://npm.im/standard) (done by [@othiym23](https://github.com/othiym23), and then debugged and fixed by [@iarna](https://github.com/iarna)), and license changed to ISC. ([@othiym23](https://github.com/othiym23) / [@iarna](https://github.com/iarna)) * [`b527a7c`](https://github.com/npm/npm/commit/b527a7c2ba3c4002f443dd2c536ff4ff41a38b86) `which@1.1.1`: Callers can pass in their own `PATH` instead of relying on `process.env`. ([@isaacs](https://github.com/isaacs)) ### v2.10.0 (2015-05-8): #### THE IMPLICATIONS ARE MORE PROFOUND THAN THEY APPEAR If you've done much development in The Enterprise®™, you know that keeping track of software licenses is far more important than one might expect / hope / fear. Tracking licenses is a hassle, and while many (if not most) of us have (reluctantly) gotten around to setting a license to use by default with all our new projects (even if it's just WTFPL), that's about as far as most of us think about it. In big enterprise shops, ensuring that projects don't inadvertently use software with unacceptably encumbered licenses is serious business, and developers spend a surprising (and appalling) amount of time ensuring that licensing is covered by writing automated checkers and other license auditing tools. The Linux Foundation has been working on a machine-parseable syntax for license expressions in the form of [SPDX](https://spdx.org/), an appropriately enterprisey acronym. IP attorney and JavaScript culture hero [Kyle Mitchell](http://kemitchell.com/) has put a considerable amount of effort into bringing SPDX to JavaScript and Node. He's written [`spdx.js`](https://github.com/kemitchell/spdx.js), a JavaScript SPDX expression parser, and has integrated it into npm in a few different ways. For you as a user of npm, this means: * npm now has proper support for dual licensing in `package.json`, due to SPDX's compound expression syntax. Run `npm help package.json` for details. * npm will warn you if the `package.json` for your project is either missing a `"license"` field, or if the value of that field isn't a valid SPDX expression (pro tip: `"BSD"` becomes `"BSD-2-Clause"` in SPDX (unless you really want one of its variants); `"MIT"` and `"ISC"` are fine as-is; the [full list](https://github.com/shinnn/spdx-license-ids/blob/master/spdx-license-ids.json) is its own package). * `npm init` now demands that you use a valid SPDX expression when using it interactively (pro tip: I mostly use `npm init -y`, having previously run `npm config set init.license=MIT` / `npm config set init.author.email=foo` / `npm config set init.author.name=me`). * The documentation for `package.json` has been updated to tell you how to use the `"license"` field properly with SPDX. In general, this shouldn't be a big deal for anybody other than people trying to run their own automated license validators, but in the long run, if everybody switches to this format, many people's lives will be made much simpler. I think this is an important improvement for npm and am very thankful to Kyle for taking the lead on this. Also, even if you think all of this is completely stupid, just [choose a license](http://en.wikipedia.org/wiki/License-free_software) anyway. Future you will thank past you someday, unless you are [djb](http://cr.yp.to/), in which case you are djb, and more power to you. * [`8669f7d`](https://github.com/npm/npm/commit/8669f7d88c472ccdd60e140106ac43cca636a648) [#8179](https://github.com/npm/npm/issues/8179) Document how to use SPDX in `license` stanzas in `package.json`, including how to migrate from old busted license declaration arrays to fancy new compound-license clauses. ([@kemitchell](https://github.com/kemitchell)) * [`98ad98c`](https://github.com/npm/npm/commit/98ad98cb11f3d3ba29a488ef1ab050b066d9c7f6) [#8197](https://github.com/npm/npm/issues/8197) `init-package-json@1.5.0` Ensure that packages bootstrapped with `npm init` use an SPDX-compliant license expression. ([@kemitchell](https://github.com/kemitchell)) * [`2ad3905`](https://github.com/npm/npm/commit/2ad3905e9139b0be2b22accf707b814469de813e) [#8197](https://github.com/npm/npm/issues/8197) `normalize-package-data@2.1.0`: Warn when a package is missing a license declaration, or using a license expression that isn't valid SPDX. ([@kemitchell](https://github.com/kemitchell)) * [`127bb73`](https://github.com/npm/npm/commit/127bb73ccccc59a1267851c702d8ebd3f3a97e81) [#8197](https://github.com/npm/npm/issues/8197) `tar@2.1.1`: Switch from `BSD` to `ISC` for license, where the latter is valid SPDX. ([@othiym23](https://github.com/othiym23)) * [`e9a933a`](https://github.com/npm/npm/commit/e9a933a9148180d9d799f99f4154f5110ff2cace) [#8197](https://github.com/npm/npm/issues/8197) `once@1.3.2`: Switch from `BSD` to `ISC` for license, where the latter is valid SPDX. ([@othiym23](https://github.com/othiym23)) * [`412401f`](https://github.com/npm/npm/commit/412401fb6a19b18f3e02d97a24d4dafed650c186) [#8197](https://github.com/npm/npm/issues/8197) `semver@4.3.4`: Switch from `BSD` to `ISC` for license, where the latter is valid SPDX. ([@othiym23](https://github.com/othiym23)) As a corollary to the previous changes, I've put some work into making `npm install` spew out fewer pointless warnings about missing values in transitive dependencies. From now on, npm will only warn you about missing READMEs, license fields, and the like for top-level projects (including packages you directly install into your application, but we may relax that eventually). Practically _nobody_ liked having those warnings displayed for child dependencies, for the simple reason that there was very little that anybody could _do_ about those warnings, unless they happened to be the maintainers of those dependencies themselves. Since many, many projects don't have SPDX-compliant licenses, the number of warnings reached a level where they ran the risk of turning into a block of visual noise that developers (read: me, and probably you) would ignore forever. So I fixed it. If you still want to see the messages about child dependencies, they're still there, but have been pushed down a logging level to `info`. You can display them by running `npm install -d` or `npm install --loglevel=info`. * [`eb18245`](https://github.com/npm/npm/commit/eb18245f55fb4cd62a36867744bcd1b7be0a33e2) Only warn on normalization errors for top-level dependencies. Transitive dependency validation warnings are logged at `info` level. ([@othiym23](https://github.com/othiym23)) #### BUG FIXES * [`e40e809`](https://github.com/npm/npm/commit/e40e8095d2bc9fa4eb8f01aa22067e0068fa8a54) `tap@1.0.1`: TAP: The Next Generation. Fix up many tests to they work properly with the new major version of `node-tap`. Look at all the colors! ([@isaacs](https://github.com/isaacs)) * [`f9314e9`](https://github.com/npm/npm/commit/f9314e97d26532c0ef2b03e98f3ed300b7cd5026) `nock@1.9.0`: Minor tweaks and bug fixes. ([@pgte](https://github.com/pgte)) * [`45c2b1a`](https://github.com/npm/npm/commit/45c2b1aaa051733fa352074994ae6e569fd51e8b) [#8187](https://github.com/npm/npm/issues/8187) `npm ls` wasn't properly recognizing dependencies installed from GitHub repositories as git dependencies, and so wasn't displaying them as such. ([@zornme](https://github.com/zornme)) * [`1ab57c3`](https://github.com/npm/npm/commit/1ab57c38116c0403965c92bf60121f0f251433e4) In some cases, `npm help` was using something that looked like a regular expression where a glob pattern should be used, and vice versa. ([@isaacs](https://github.com/isaacs)) ### v2.9.1 (2015-04-30): #### WOW! MORE GIT FIXES! YOU LOVE THOSE! The first item below is actually a pretty big deal, as it fixes (with a one-word change and a much, much longer test case (thanks again, [@iarna](https://github.com/iarna))) a regression that's been around for months now. If you're depending on multiple branches of a single git dependency in a single project, you probably want to check out `npm@2.9.1` and verify that things (again?) work correctly in your project. * [`178a6ad`](https://github.com/npm/npm/commit/178a6ad540215820d16217465a5f220d8c95a313) [#7202](https://github.com/npm/npm/issues/7202) When caching git dependencies, do so by the whole URL, including the branch name, so that if a single application depends on multiple branches from the same repository (in practice, multiple version tags), every install is of the correct version, instead of reusing whichever branch the caching process happened to check out first. ([@iarna](https://github.com/iarna)) * [`63b79cc`](https://github.com/npm/npm/commit/63b79ccde092a9cb3b1f34abe43e1d2ba69c0dbf) [#8084](https://github.com/npm/npm/issues/8084) Ensure that Bitbucket, GitHub, and Gitlab dependencies are installed the same way as non-hosted git dependencies, fixing `npm install --link`. ([@laiso](https://github.com/laiso)) #### DOCUMENTATION FIXES AND TWEAKS These changes may seem simple and small (except Lin's fix to the package name restrictions, which was more an egregious oversight on our part), but cleaner documentation makes npm significantly more pleasant to use. I really appreciate all the typo fixes, clarifications, and formatting tweaks people send us, and am delighted that we get so many of these pull requests. Thanks, everybody! * [`ca478dc`](https://github.com/npm/npm/commit/ca478dcaa29b8f07cd6fe515a3c4518166819291) [#8137](https://github.com/npm/npm/issues/8137) Somehow, we had failed to clearly document the full restrictions on package names. [@linclark](https://github.com/linclark) has now fixed that, although we will take with us to our graves the reasons why the maximum package name length is 214 characters (well, OK, it was that that was the longest name in the registry when we decided to put a cap on the name length). ([@linclark](https://github.com/linclark)) * [`b574076`](https://github.com/npm/npm/commit/b5740767c320c1eff3576a8d63952534a0fbb936) [#8079](https://github.com/npm/npm/issues/8079) Make the `npm shrinkwrap` documentation use code formatting for examples consistently. It would be great to do this for more commands HINT HINT. ([@RichardLitt](https://github.com/RichardLitt)) * [`1ff636e`](https://github.com/npm/npm/commit/1ff636e2db3852a53e38c866fed7eafdacd307fc) [#8105](https://github.com/npm/npm/issues/8105) Document that the global `npmrc` goes in `$PREFIX/etc/npmrc`, instead of `$PREFIX/npmrc`. ([@anttti](https://github.com/anttti)) * [`c3f2f7c`](https://github.com/npm/npm/commit/c3f2f7c299342e1c1eccc55a976a63c607f51621) [#8127](https://github.com/npm/npm/issues/8127) Document how to use `npm run build` directly (hint: it's different from `npm build`!). ([@mikemaccana](https://github.com/mikemaccana)) * [`873e467`](https://github.com/npm/npm/commit/873e46757e1986761b15353f94580a071adcb383) [#8069](https://github.com/npm/npm/issues/8069) Take the old, dead npm mailing list address out of `package.json`. It seems that people don't have much trouble figuring out how to report errors to npm. ([@robertkowalski](https://github.com/robertkowalski)) #### ENROBUSTIFICATIONMENT * [`5abfc9c`](https://github.com/npm/npm/commit/5abfc9c9017da714e47a3aece750836b4f9af6a9) [#7973](https://github.com/npm/npm/issues/7973) `npm run-script` completion will only suggest run scripts, instead of including dependencies. If for some reason you still wanted it to suggest dependencies, let us know. ([@mantoni](https://github.com/mantoni)) * [`4b564f0`](https://github.com/npm/npm/commit/4b564f0ce979dc74c09604f4d46fd25a2ee63804) [#8081](https://github.com/npm/npm/issues/8081) Use `osenv` to parse the environment's `PATH` in a platform-neutral way. ([@watilde](https://github.com/watilde)) * [`a4b6238`](https://github.com/npm/npm/commit/a4b62387b41848818973eeed056fd5c6570274f3) [#8094](https://github.com/npm/npm/issues/8094) When we refactored the configuration code to split out checking for IPv4 local addresses, we inadvertently completely broke it by failing to return the values. In addition, just the call to `os.getInterfaces()` could throw on systems where querying the network configuration requires elevated privileges (e.g. Amazon Lambda). Add the return, and trap errors so they don't cause npm to explode. Thanks to [@mhart](https://github.com/mhart) for bringing this to our attention! ([@othiym23](https://github.com/othiym23)) #### DEPENDENCY UPDATES WAIT FOR NO SOPHONT * [`000cd8b`](https://github.com/npm/npm/commit/000cd8b52104942ac3404f0ad0651d82f573da37) `rimraf@2.3.3`: More informative assertions on argument validation failure. ([@isaacs](https://github.com/isaacs)) * [`530a2e3`](https://github.com/npm/npm/commit/530a2e369128270f3e098f0e9be061533003b0eb) `lru-cache@2.6.2`: Revert to old key access-time behavior, as it was correct all along. ([@isaacs](https://github.com/isaacs)) * [`d88958c`](https://github.com/npm/npm/commit/d88958ca02ce81b027b9919aec539d0145875a59) `minimatch@2.0.7`: Feature detection and test improvements. ([@isaacs](https://github.com/isaacs)) * [`3fa39e4`](https://github.com/npm/npm/commit/3fa39e4d492609d5d045033896dcd99f7b875329) `nock@1.7.1` ([@pgte](https://github.com/pgte)) ### v2.9.0 (2015-04-23): This week was kind of a breather to concentrate on fixing up the tests on the `multi-stage` branch, and not mess with git issues for a little while. Unfortunately, There are now enough severe git issues that we'll probably have to spend another couple weeks tackling them. In the meantime, enjoy these two small features. They're just enough to qualify for a semver-minor bump: #### NANOFEATURES * [`2799322`](https://github.com/npm/npm/commit/279932298ce5b589c5eea9439ac40b88b99c6a4a) [#7426](https://github.com/npm/npm/issues/7426) Include local modules in `npm outdated` and `npm update`. ([@ArnaudRinquin](https://github.com/ArnaudRinquin)) * [`2114862`](https://github.com/npm/npm/commit/21148620fa03a582f4ec436bb16bd472664f2737) [#8014](https://github.com/npm/npm/issues/8014) The prefix used before the version on version tags is now configurable via `tag-version-prefix`. Be careful with this one and read the docs before using it. ([@kkragenbrink](https://github.com/kkragenbrink)) #### OTHER MINOR TWEAKS * [`18ce0ec`](https://github.com/npm/npm/commit/18ce0ecd2d94ad3af01e997f1396515892dd363c) [#3032](https://github.com/npm/npm/issues/3032) `npm unpublish` will now use the registry set in `package.json`, just like `npm publish`. This only applies, for now, when unpublishing the entire package, as unpublishing a single version requires the name be included on the command line and therefore doesn't read from `package.json`. ([@watilde](https://github.com/watilde)) * [`9ad2100`](https://github.com/npm/npm/commit/9ad210042242e51d52b2a8b633d8e59248f5faa4) [#8008](https://github.com/npm/npm/issues/8008) Once again, when considering what to install on `npm install`, include `devDependencies`. ([@smikes](https://github.com/smikes)) * [`5466260`](https://github.com/npm/npm/commit/546626059909dca1906454e820ca4e315c1795bd) [#8003](https://github.com/npm/npm/issues/8003) Clarify the documentation around scopes to make it easier to understand how they support private packages. ([@smikes](https://github.com/smikes)) #### DEPENDENCIES WILL NOT STOP UNTIL YOU ARE VERY SLEEPY * [`faf65a7`](https://github.com/npm/npm/commit/faf65a7bbb2fad13216f64ed8f1243bafe743f97) `init-package-json@1.4.2`: If there are multiple validation errors and warnings, ensure they all get displayed (includes a rad new way of testing `init-package-json` contributed by [@michaelnisi](https://github.com/michaelnisi)). ([@MisumiRize](https://github.com/MisumiRize)) * [`7f10f38`](https://github.com/npm/npm/commit/7f10f38d29a8423d7cde8103fa7b64ac728da1e0) `editor@1.0.0`: `1.0.0` is literally more than `0.1.0` (no change aside from version number). ([@substack](https://github.com/substack)) * [`4979af3`](https://github.com/npm/npm/commit/4979af3fcae5a3962383b7fdad3162381e62eefe) [#6805](https://github.com/npm/npm/issues/6805) `npm-registry-client@6.3.3`: Decode scoped package names sent by the registry so they look nicer. ([@mmalecki](https://github.com/mmalecki)) ### v2.8.4 (2015-04-16): This is the fourth release of npm this week, so it's mostly just landing a few small outstanding PRs on dependencies and some tiny documentation tweaks. `npm@2.8.3` is where the real action is. * [`ee2bd77`](https://github.com/npm/npm/commit/ee2bd77f3c64d38735d1d31028224a5c40422a9b) [#7983](https://github.com/npm/npm/issues/7983) `tar@2.1.0`: Better error reporting in corrupted tar files, and add support for the `fromBase` flag (rescued from the dustbin of history by [@deanmarano](https://github.com/deanmarano)). ([@othiym23](https://github.com/othiym23)) * [`d8eee6c`](https://github.com/npm/npm/commit/d8eee6cf9d2ff7aca68dfaed2de76824a3e0d9af) `init-package-json@1.4.1`: Add support for a default author, and only add scope to a package name once. ([@othiym23](https://github.com/othiym23)) * [`4fc5d98`](https://github.com/npm/npm/commit/4fc5d98b785f601c60d4dc0a2c8674f0cccf6262) `lru-cache@2.6.1`: Small tweaks to cache value aging and entry counting that are irrelevant to npm. ([@isaacs](https://github.com/isaacs)) * [`1fe5840`](https://github.com/npm/npm/commit/1fe584089f5bef133de5518aa26eaf6064be2bf7) [#7946](https://github.com/npm/npm/issues/7946) Make `npm init` text friendlier. ([@sandfox](https://github.com/sandfox)) ### v2.8.3 (2015-04-15): #### TWO SMALL GIT TWEAKS This is the last of a set of releases intended to ensure npm's git support is robust enough that we can stop working on it for a while. These fixes are small, but prevent a common crasher and clear up one of the more confusing error messages coming out of npm when working with repositories hosted on git. * [`387f889`](https://github.com/npm/npm/commit/387f889c0e8fb617d9cc9a42ed0a3ec49424ab5d) [#7961](https://github.com/npm/npm/issues/7961) Ensure that hosted git SSH URLs always have a valid protocol when stored in `resolved` fields in `npm-shrinkwrap.json`. ([@othiym23](https://github.com/othiym23)) * [`394c2f5`](https://github.com/npm/npm/commit/394c2f5a1227232c0baf42fbba1402aafe0d6ffb) Switch the order in which hosted Git providers are checked to `git:`, `git+https:`, then `git+ssh:` (from `git:`, `git+ssh:`, then `git+https:`) in an effort to go from most to least likely to succeed, to make for less confusing error message. ([@othiym23](https://github.com/othiym23)) ### v2.8.2 (2015-04-14): #### PEACE IN OUR TIME npm has been having an issue with CouchDB's web server since the release of io.js and Node.js 0.12.0 that has consumed a huge amount of my time to little visible effect. Sam Mikes picked up the thread from me, and after a [_lot_ of effort](https://github.com/npm/npm/issues/7699#issuecomment-93091111) figured out that ultimately there are probably a couple problems with the new HTTP Agent keep-alive handling in new versions of Node. In addition, `npm-registry-client` was gratuitously sending a body along with a GET request which was triggering the bugs. Sam removed about 10 bytes from one file in `npm-registry-client`, and this problem, which has been bugging us for months, completely went away. In conclusion, Sam Mikes is great, and anybody using a private registry hosted on CouchDB should thank him for his hard work. Also, thanks to the community at large for pitching in on this bug, which has been around for months now. * [`431c3bf`](https://github.com/npm/npm/commit/431c3bf6cdec50f9f0c735f478cb2f3f337d3313) [#7699](https://github.com/npm/npm/issues/7699) `npm-registry-client@6.3.2`: Don't send body with HTTP GET requests when logging in. ([@smikes](https://github.com/smikes)) ### v2.8.1 (2015-04-12): #### CORRECTION: NPM'S GIT INTEGRATION IS DOING OKAY A [helpful bug report](https://github.com/npm/npm/issues/7872#issuecomment-91809553) led to another round of changes to [`hosted-git-info`](https://github.com/npm/hosted-git-info/commit/827163c74531b69985d1ede7abced4861e7b0cd4), some additional test-writing, and a bunch of hands-on testing against actual private repositories. While the complexity of npm's git dependency handling is nearly fractal (because npm is very complex, and git is even more complex), it's feeling way more solid than it has for a while. We think this is a substantial improvement over what we had before, so give `npm@2.8.1` a shot if you have particularly complex git use cases and [let us know](https://github.com/npm/npm/issues/new) how it goes. (NOTE: These changes mostly affect cloning and saving references to packages hosted in git repositories, and don't address some known issues with things like lifecycle scripts not being run on npm dependencies. Work continues on other issues that affect parity between git and npm registry packages.) * [`66377c6`](https://github.com/npm/npm/commit/66377c6ece2cf4d53d9a618b7d9824e1452bc293) [#7872](https://github.com/npm/npm/issues/7872) `hosted-git-info@2.1.2`: Pass through credentials embedded in SSH and HTTPs git URLs. ([@othiym23](https://github.com/othiym23)) * [`15efe12`](https://github.com/npm/npm/commit/15efe124753257728a0ddc64074fa5a4b9c2eb30) [#7872](https://github.com/npm/npm/issues/7872) Use the new version of `hosted-git-info` to pass along credentials embedded in git URLs. Test it. Test it a lot. ([@othiym23](https://github.com/othiym23)) #### SCOPED DEPENDENCIES AND PEER DEPENDENCIES: NOT QUITE REESE'S Big thanks to [@ewie](https://github.com/ewie) for identifying an issue with how npm was handling `peerDependencies` that were implicitly installed from the `package.json` files of scoped dependencies. This [will be a moot point](https://github.com/npm/npm/issues/6565#issuecomment-74971689) with the release of `npm@3`, but until then, it's important that `peerDependency` auto-installation work as expected. * [`b027319`](https://github.com/npm/npm/commit/b0273190c71eba14395ddfdd1d9f7ba625297523) [#7920](https://github.com/npm/npm/issues/7920) Scoped packages with `peerDependencies` were installing the `peerDependencies` into the wrong directory. ([@ewie](https://github.com/ewie)) * [`649e31a`](https://github.com/npm/npm/commit/649e31ae4fd02568bae5dc6b4ea783431ce3d63e) [#7920](https://github.com/npm/npm/issues/7920) Test `peerDependency` installs involving scoped packages using `npm-package-arg` instead of simple path tests, for consistency. ([@othiym23](https://github.com/othiym23)) #### MAKING IT EASIER TO WRITE NPM TESTS, VERSION 0.0.1 [@iarna](https://github.com/iarna) and I ([@othiym23](https://github.com/othiym23)) have been discussing a [candidate plan](https://github.com/npm/npm/wiki/rewriting-npm's-tests:-a-plan-maybe) for improving npm's test suite, with the goal of making it easier for new contributors to get involved with npm by reducing the learning curve necessary to be able to write good tests for proposed changes. This is the first substantial piece of that effort. Here's what the commit message for [`ed7e249`](https://github.com/npm/npm/commit/ed7e249d50444312cd266942ce3b89e1ca049bdf) had to say about this work: > It's too difficult for npm contributors to figure out what the conventional > style is for tests. Part of the problem is that the documentation in > CONTRIBUTING.md is inadequate, but another important factor is that the tests > themselves are written in a variety of styles. One of the most notable > examples of this is the fact that many tests use fixture directories to store > precooked test scenarios and package.json files. > > This had some negative consequences: > > * tests weren't idempotent > * subtle dependencies between tests existed > * new tests get written in this deprecated style because it's not > obvious that the style is out of favor > * it's hard to figure out why a lot of those directories existed, > because they served a variety of purposes, so it was difficult to > tell when it was safe to remove them > > All in all, the fixture directories were a major source of technical debt, and > cleaning them up, while time-consuming, makes the whole test suite much more > approachable, and makes it more likely that new tests written by outside > contributors will follow a conventional style. To support that, all of the > tests touched by this changed were cleaned up to pass the `standard` style > checker. And here's a little extra context from a comment I left on [#7929](https://github.com/npm/npm/issues/7929): > One of the other things that encouraged me was looking at this > [presentation on technical debt](http://www.slideshare.net/nnja/pycon-2015-technical-debt-the-monster-in-your-closet) > from Pycon 2015, especially slide 53, which I interpreted in terms of > difficulty getting new contributors to submit patches to an OSS project like > npm. npm has a long ways to go, but I feel good about this change. * [`ed7e249`](https://github.com/npm/npm/commit/ed7e249d50444312cd266942ce3b89e1ca049bdf) [#7929](https://github.com/npm/npm/issues/7929) Eliminate fixture directories from `test/tap`, leaving each test self-contained. ([@othiym23](https://github.com/othiym23)) * [`4928d30`](https://github.com/npm/npm/commit/4928d30140821c63e03fffed73f8d88ebdc43710) [#7929](https://github.com/npm/npm/issues/7929) Move fixture files from `test/tap/*` to `test/fixtures`. ([@othiym23](https://github.com/othiym23)) * [`e925deb`](https://github.com/npm/npm/commit/e925debca91092a814c1a00933babc3a8cf975be) [#7929](https://github.com/npm/npm/issues/7929) Tweak the run scripts to stop slaughtering the CPU on doc rebuild. ([@othiym23](https://github.com/othiym23)) * [`65bf7cf`](https://github.com/npm/npm/commit/65bf7cffaf91c426b676c47529eee796f8b8b75c) [#7923](https://github.com/npm/npm/issues/7923) Use an alias of scripts and run-scripts in `npm run test-all` ([@watilde](https://github.com/watilde)) * [`756a3fb`](https://github.com/npm/npm/commit/756a3fbb852a2469afe706635ed88d22c37743e5) [#7923](https://github.com/npm/npm/issues/7923) Sync timeout time of `npm run-script test-all` to be the same as `test` and `tap` scripts. ([@watilde](https://github.com/watilde)) * [`8299b5f`](https://github.com/npm/npm/commit/8299b5fb6373354a7fbaab6f333863758812ae90) Set a timeout for tap tests for `npm run-script test-all`. ([@othiym23](https://github.com/othiym23)) #### THE EVER-BEATING DRUM OF DEPENDENCY UPDATES * [`d90d0b9`](https://github.com/npm/npm/commit/d90d0b992acbf62fd5d68debf9d1dbd6cfa20804) [#7924](https://github.com/npm/npm/issues/7924) Remove `child-process-close`, as it was included for Node 0.6 compatibility, and npm no longer supports 0.6. ([@robertkowalski](https://github.com/robertkowalski)) * [`16427c1`](https://github.com/npm/npm/commit/16427c1f3ea3d71ee753c62eb4c2663c7b32b84f) `lru-cache@2.5.2`: More accurate updating of expiry times when `maxAge` is set. ([@isaacs](https://github.com/isaacs)) * [`03cce83`](https://github.com/npm/npm/commit/03cce83b64344a9e0fe036dce214f4d68cfcc9e7) `nock@1.6.0`: Mocked network error handling. ([@pgte](https://github.com/pgte)) * [`f93b1f0`](https://github.com/npm/npm/commit/f93b1f0b7eb5d1b8a7967e837bbd756db1091d00) `glob@5.0.5`: Use `path-is-absolute` polyfill, allowing newer Node.js and io.js versions to use `path.isAbsolute()`. ([@sindresorhus](https://github.com/sindresorhus)) * [`a70d694`](https://github.com/npm/npm/commit/a70d69495a6e96997e64855d9e749d943ee6d64f) `request@2.55.0`: Bug fixes and simplification. ([@simov](https://github.com/simov)) * [`2aecc6f`](https://github.com/npm/npm/commit/2aecc6f4083526feeb14615b4e5484edc66175b5) `columnify@1.5.1`: Switch to using babel from 6to5. ([@timoxley](https://github.com/timoxley)) ### v2.8.0 (2015-04-09): #### WE WILL NEVER BE DONE FIXING NPM'S GIT SUPPORT If you look at [the last release's release notes](https://github.com/npm/npm/blob/master/CHANGELOG.md#git-mean-git-tuff-git-all-the-way-away-from-my-stuff), you will note that they confidently assert that it's perfectly OK to force all GitHub URLs through the same `git:` -> `git+ssh:` fallback flow for cloning. It turns out that many users depend on `git+https:` URLs in their build environments because they use GitHub auth tokens instead of SSH keys. Also, in some cases you just want to be able to explicitly say how a given dependency should be cloned from GitHub. Because of the way we resolved the inconsistency in GitHub shorthand handling [before](https://github.com/npm/npm/blob/master/CHANGELOG.md#bug-fixes-1), this turned out to be difficult to work around. So instead of hacking around it, we completely redid how git is handled within npm and its attendant packages. Again. This time, we changed things so that `normalize-package-data` and `read-package-json` leave more of the git logic to npm itself, which makes handling shorthand syntax consistently much easier, and also allows users to resume using explicit, fully-qualified git URLs without npm messing with them. Here's a summary of what's changed: * Instead of converting the GitHub shorthand syntax to a `git+ssh:`, `git:`, or `git+https:` URL and saving that, save the shorthand itself to `package.json`. * If presented with shortcuts, try cloning via the git protocol, SSH, and HTTPS (in that order). * No longer prompt for credentials -- it didn't work right with the spinner, and wasn't guaranteed to work anyway. We may experiment with doing this a better way in the future. Users can override this by setting `GIT_ASKPASS` in their environment if they want to experiment with interactive cloning, but should also set `--no-spin` on the npm command line (or run `npm config set spin=false`). * **EXPERIMENTAL FEATURE**: Add support for `github:`, `gist:`, `bitbucket:`, and `gitlab:` shorthand prefixes. GitHub shortcuts will continue to be normalized to `org/repo` instead of being saved as `github:org/repo`, but `gitlab:`, `gist:`, and `bitbucket:` prefixes will be used on the command line and from `package.json`. BE CAREFUL WITH THIS. `package.json` files published with the new shorthand syntax can _only_ be read by `npm@2.8.0` and later, and this feature is mostly meant for playing around with it. If you want to save git dependencies in a form that older versions of npm can read, use `--save-exact`, which will save the git URL and resolved commit hash of the head of the branch in a manner similar to the way that `--save-exact` pins versions for registry dependencies. This is documented (so check `npm help install` for details), but we're not going to make a lot of noise about it until it has a chance to bake in a little more. It is [@othiym23](https://github.com/othiym23)'s sincere hope that this will resolve all of the inconsistencies users were seeing with GitHub and git-hosted packages, but given the level of change here, that may just be a fond wish. Extra testing of this change is requested. * [`6b0f588`](https://github.com/npm/npm/commit/6b0f58877f37df9904490ffbaaad33862bd36dce) [#7867](https://github.com/npm/npm/issues/7867) Use git shorthand and git URLs as presented by user. Support new `hosted-git-info` shortcut syntax. Save shorthand in `package.json`. Try cloning via `git:`, `git+ssh:`, and `git+https:`, in that order, when supported by the underlying hosting provider. ([@othiym23](https://github.com/othiym23)) * [`75d4267`](https://github.com/npm/npm/commit/75d426787869d54ca7400408f562f971b34649ef) [#7867](https://github.com/npm/npm/issues/7867) Document new GitHub, GitHub gist, Bitbucket, and GitLab shorthand syntax. ([@othiym23](https://github.com/othiym23)) * [`7d92c75`](https://github.com/npm/npm/commit/7d92c7592998d90ec883fa989ca74f04ec1b93de) [#7867](https://github.com/npm/npm/issues/7867) When `--save-exact` is used with git shorthand or URLs, save the fully-resolved URL, with branch name resolved to the exact hash for the commit checked out. ([@othiym23](https://github.com/othiym23)) * [`9220e59`](https://github.com/npm/npm/commit/9220e59f8def8c82c6d331a39ba29ad4c44e3a9b) [#7867](https://github.com/npm/npm/issues/7867) Ensure that non-prefixed and non-normalized GitHub shortcuts are saved to `package.json`. ([@othiym23](https://github.com/othiym23)) * [`dd398e9`](https://github.com/npm/npm/commit/dd398e98a8eba27eeba84378200da3d078fdf980) [#7867](https://github.com/npm/npm/issues/7867) `hosted-git-info@2.1.1`: Ensure that `gist:` shorthand survives being round-tripped through `package.json`. ([@othiym23](https://github.com/othiym23)) * [`33d1420`](https://github.com/npm/npm/commit/33d1420bf2f629332fceb2ac7e174e63ac48f96a) [#7867](https://github.com/npm/npm/issues/7867) `hosted-git-info@2.1.0`: Add support for auth embedded directly in git URLs. ([@othiym23](https://github.com/othiym23)) * [`23a1d5a`](https://github.com/npm/npm/commit/23a1d5a540e8db27f5cd0245de7c3694e2bddad1) [#7867](https://github.com/npm/npm/issues/7867) `hosted-git-info@2.0.2`: Make it possible to determine in which form a hosted git URL was passed. ([@iarna](https://github.com/iarna)) * [`eaf75ac`](https://github.com/npm/npm/commit/eaf75acb718611ad5cfb360084ec86938d9c66c5) [#7867](https://github.com/npm/npm/issues/7867) `normalize-package-data@2.0.0`: Normalize GitHub specifiers so they pass through shortcut syntax and preserve explicit URLs. ([@iarna](https://github.com/iarna)) * [`95e0535`](https://github.com/npm/npm/commit/95e0535e365e0aca49c634dd2061a0369b0475f1) [#7867](https://github.com/npm/npm/issues/7867) `npm-package-arg@4.0.0`: Add git URL and shortcut to hosted git spec and use `hosted-git-info@2.0.2`. ([@iarna](https://github.com/iarna)) * [`a808926`](https://github.com/npm/npm/commit/a8089268d5f3d57f42dbaba02ff6437da5121191) [#7867](https://github.com/npm/npm/issues/7867) `realize-package-specifier@3.0.0`: Use `npm-package-arg@4.0.0` and test shortcut specifier behavior. ([@iarna](https://github.com/iarna)) * [`6dd1e03`](https://github.com/npm/npm/commit/6dd1e039bddf8cf5383343f91d84bc5d78acd083) [#7867](https://github.com/npm/npm/issues/7867) `init-package-json@1.4.0`: Allow dependency on `read-package-json@2.0.0`. ([@iarna](https://github.com/iarna)) * [`63254bb`](https://github.com/npm/npm/commit/63254bb6358f66752aca6aa1a275271b3ae03f7c) [#7867](https://github.com/npm/npm/issues/7867) `read-installed@4.0.0`: Use `read-package-json@2.0.0`. ([@iarna](https://github.com/iarna)) * [`254b887`](https://github.com/npm/npm/commit/254b8871f5a173bb464cc5b0ace460c7878b8097) [#7867](https://github.com/npm/npm/issues/7867) `read-package-json@2.0.0`: Use `normalize-package-data@2.0.0`. ([@iarna](https://github.com/iarna)) * [`0b9f8be`](https://github.com/npm/npm/commit/0b9f8be62fe5252abe54d49e36a696f4816c2eca) [#7867](https://github.com/npm/npm/issues/7867) `npm-registry-client@6.3.0`: Mark compatibility with `normalize-package-data@2.0.0` and `npm-package-arg@4.0.0`. ([@iarna](https://github.com/iarna)) * [`f40ecaa`](https://github.com/npm/npm/commit/f40ecaad68f77abc50eb6f5b224e31dec3d250fc) [#7867](https://github.com/npm/npm/issues/7867) Extract a common method to use when cloning git repos for testing. ([@othiym23](https://github.com/othiym23)) #### TEST FIXES FOR NODE 0.8 npm continues to [get closer](https://github.com/npm/npm/issues/7842) to being completely green on Travis for Node 0.8. * [`26d36e9`](https://github.com/npm/npm/commit/26d36e9cf0eca69fe1863d2ea536c28555b9e8de) [#7842](https://github.com/npm/npm/issues/7842) When spawning child processes, map exit code 127 to ENOENT so Node 0.8 handles child process failures the same as later versions. ([@SonicHedgehog](https://github.com/SonicHedgehog)) * [`54cd895`](https://github.com/npm/npm/commit/54cd8956ea783f96749e46597d8c2cb9397c5d5f) [#7842](https://github.com/npm/npm/issues/7842) Node 0.8 requires -e with -p when evaluating snippets; fix test. ([@SonicHedgehog](https://github.com/SonicHedgehog)) #### SMALL FIX AND DOC TWEAK * [`20e9003`](https://github.com/npm/npm/commit/20e90031b847e9f7c7168f3dad8b1e526f9a2586) `tar@2.0.1`: Fix regression where relative symbolic links within an extraction root that pointed within an extraction root would get normalized to absolute symbolic links. ([@isaacs](https://github.com/isaacs)) * [`2ef8898`](https://github.com/npm/npm/commit/2ef88989c41bee1578570bb2172c90ede129dbd1) [#7879](https://github.com/npm/npm/issues/7879) Better document that `npm publish --tag=foo` will not set `latest` to that version. ([@linclark](https://github.com/linclark)) ### v2.7.6 (2015-04-02): #### GIT MEAN, GIT TUFF, GIT ALL THE WAY AWAY FROM MY STUFF Part of the reason that we're reluctant to take patches to how npm deals with git dependencies is that every time we touch the git support, something breaks. The last few releases are a case in point. `npm@2.7.4` completely broke installing private modules from GitHub, and `npm@2.7.5` fixed them at the cost of logging a misleading error message that caused many people to believe that their dependencies hadn't been successfully installed when they actually had been. This all started from a desire to ensure that GitHub shortcut syntax is being handled correctly. The correct behavior is for npm to try to clone all dependencies on GitHub (whether they're specified with the GitHub `organization/repository` shortcut syntax or not) via the plain `git:` protocol first, and to fall back to using `git+ssh:` if `git:` doesn't work. Previously, sometimes npm would use `git:` and `git+ssh:` in some cases (most notably when using GitHub shortcut syntax on the command line), and use `git+https:` in others (when the GitHub shortcut syntax was present in `package.json`). This led to subtle and hard-to-understand inconsistencies, and we're glad that as of `npm@2.7.6`, we've finally gotten things to where they were before we started, only slightly more consistent overall. We are now going to go back to our policy of being extremely reluctant to touch the code that handles Git dependencies. * [`b747593`](https://github.com/npm/npm/commit/b7475936f473f029e6a027ba1b16277523747d0b) [#7630](https://github.com/npm/npm/issues/7630) Don't automatically log all git failures as errors. `maybeGithub` needs to be able to fail without logging to support its fallback logic. ([@othiym23](https://github.com/othiym23)) * [`cd67a0d`](https://github.com/npm/npm/commit/cd67a0db07891d20871822696c26692c8a84866a) [#7829](https://github.com/npm/npm/issues/7829) When fetching a git remote URL, handle failures gracefully (without assuming standard output exists). ([@othiym23](https://github.com/othiym23)) * [`637c7d1`](https://github.com/npm/npm/commit/637c7d1411fe07f409cf91f2e65fd70685cb253c) [#7829](https://github.com/npm/npm/issues/7829) When fetching a git remote URL, handle failures gracefully (without assuming standard _error_ exists). ([@othiym23](https://github.com/othiym23)) #### OTHER SIGNIFICANT FIXES * [`78005eb`](https://github.com/npm/npm/commit/78005ebb6f4103c20f077669c3929b7ea46a4c0d) [#7743](https://github.com/npm/npm/issues/7743) Always quote arguments passed to `npm run-script`. This allows build systems and the like to safely escape glob patterns passed as arguments to `run-scripts` with `npm run-script