./lang/npm, Package manager for JavaScript

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 6.4.1, Package name: npm-6.4.1, Maintainer: filip

npm is a package manager for node. You can use it to install and
publish your node programs.


Required to run:
[lang/python27] [lang/nodejs]

Required to build:
[pkgtools/cwrappers]

Master sites:

SHA1: e35a0e60c8640dc118b00b0289970d8b5f68441f
RMD160: 52a17e43d65c0695fe1fb6f132f744e2f19c061c
Filesize: 5149.969 KB

Version history: (Expand)


CVS history: (Expand)


   2018-09-07 13:51:10 by Filip Hajny | Files touched by this commit (3) | Package updated
Log message:
lang/npm: Update to 6.4.1.

6.4.1

BUGFIXES

- Prevent blowing up on malformed responses from the npm audit
  endpoint, such as with third-party registries.
- Fix NO_PROXY support by renaming npm-side config to --noproxy. The
  environment variable should still work.
- Disable update-notifier checks when a CI environment is detected.
- Fix issue where postpack scripts would break if pack was used with
  --dry-run.

DEPENDENCY BUMPS

- figgy-pudding@3.4.1
- cacache@11.2.0
- npm-packlist@1.1.11
- libcipm@2.0.2
- JSONStream@1.3.4
- npm-lifecycle@2.1.0
- npm-registry-client@8.6.0
- opener@1.5.0
- request@2.88.0
- tacks@1.2.7
- ci-info@1.4.0
- marked@0.5.0

DOCUMENTATION

- Mention registry terms of use in manpage and registry docs and
  update language in README for it.
- Add documentation for --dry-run in install and pack docs.
- Update republish time and lightly reorganize republish info.
- Correct npm@6.4.0 release date in changelog.
- Align command descriptions in help text.

6.4.0

NEW FEATURES

- Search for authentication token defined by environment variables by
  preventing the translation layer from env variable to npm option
  from breaking :_authToken.
- Stop filtering out non-IPv4 addresses from local-addrs, making npm
  actually use IPv6 addresses when it must.
- Configurable audit level for non-zero exit npm audit currently exits
  with exit code 1 if any vulnerabilities are found of any level. Add
  a flag of --audit-level to npm audit to allow it to pass if only
  vulnerabilities below a certain level are found. Example: npm audit
  --audit-level=high will exit with 0 if only low or moderate level
  vulns are detected.

BUGFIXES

- Don't check for updates to npm when we are updating npm itself.
   2018-08-25 22:46:29 by Adam Ciarcinski | Files touched by this commit (1)
Log message:
npm: fix building with PKGREVISION
   2018-08-22 11:48:07 by Thomas Klausner | Files touched by this commit (3558)
Log message:
Recursive bump for perl5-5.28.0
   2018-08-02 14:28:35 by Filip Hajny | Files touched by this commit (3) | Package updated
Log message:
lang/npm: Update tp 6.3.0.

## v6.3.0 (2018-08-01):

- `figgy-pudding@3.2.0`
- `cacache@11.1.0`

## v6.3.0-next.0 (2018-07-25):

### NEW FEATURES

- `npm version` now supports a `--preid` option to specify the preid
  for prereleases. For example, `npm version premajor --preid rc` will tag
  a version like `2.0.0-rc.0`.

### MESSAGING IMPROVEMENTS

- Make `npm audit fix` message provide better instructions for
  vulnerabilities that require manual review.
- Fix missing colon next to tarball url in new `npm view` output.
- Use the defaut OTP explanation everywhere except when the context is
  "OTP-aware" (like when setting double-authentication). This improves
  the overall CLI messaging when prompting for an OTP code.

### MISC

- Use the extracted `stringify-package` package.
- `wrappy` was previously added to dependencies in order to flatten
  it, but we no longer do legacy-style for npm itself, so it has been
  removed from `package.json`.

## v6.2.0 (2018-07-13):

### FEATURES

- Add support for tab-separated output for `npm audit` data with the
  `--parseable` flag.
- Add new `sign-git-commit` config to control whether the git commit
  itself gets signed, or just the tag (which is the default).

### FIXES

- Do not use `SET` to fetch the env in git-bash or Cygwin.

### DEPENDENCY BUMPS

- `request@2.81.0`: Downgraded to allow better deduplication. This
  does introduce a bunch of `hoek`-related audit reports, but they don't
  affect npm itself so we consider it safe. We'll upgrade `request` again
  once `node-gyp` unpins it.
- `node-gyp@3.7.0`
_ `cli-table3@0.5.0`: `cli-table2` is unmaintained and required
  `lodash`. With this dependency bump, we've removed `lodash` from our tree,
  which cut back tarball size by another 300kb.
- `npm-audit-report@1.3.1`
- Add `cli-table3` to bundleDeps.
- Make `standard` happy.

## v6.2.0-next.1 (2018-07-05):

- Remove postinstall script that depended on source files, thus
  preventing `npm@next` from being installable from the registry.

## v6.2.0-next.0 (2018-06-28):

### NEW FEATURES

- You can now disable the update notifier entirely by using
  `--no-update-notifier` or setting it in your config with `npm config
  set update-notifier false`.
- When `npm run-script <script>` fails due to a typo or missing
  script, npm will now do a "did you mean?..." for scripts that do exist.

### BUGFIXES

- Fix the regular expression matching in `xcode_emulation` in
  `node-gyp` to also handle version numbers with multiple-digit major
  versions which would otherwise break under use of XCode 10.
- Stop trying to hoist/dedupe bundles dependencies.
- Add synopsis to brief help for `npm audit` and suppress trailing
  newline.
- Exclude /.github directory from npm tarball.
- Add suggestion to use a temporary cache instead of `npm cache clear
  --force`.

### DEPENDENCY SHUFFLE!

We did some reshuffling and moving around of npm's own dependencies.
This significantly reduces the total bundle size of the npm pack,
from 8MB to 4.8MB for the distributed tarball! We also moved around
what we actually commit to the repo as far as devDeps go.

- Flatten and dedupe our dependencies!
- Remove unused direct dependency `ansi-regex`.
- Reshuffle ansi-regex for better deduping.
- Reshuffle strip-ansi for better deduping.
- Reshuffle is-fullwidth-code-point for better deduping.
- Add fake-registry, npm-registry-mock replacement.

### DEPENDENCIES

- `tar@4.4.3`
- `pacote@8.1.6`
- `libcipm@2.0.0`
- `request@2.87.0`
- `which@1.3.1`
- `tar@4.4.4`
- `JSONStream@1.3.3`
- `is-cidr@2.0.6`
- `marked@0.4.0`
- `tap@12.0.1`
- `npm-profile@3.0.2`
- `uuid@3.3.2`
   2018-07-10 17:57:00 by Jonathan Perkin | Files touched by this commit (1) | Package updated
Log message:
npm: Switch to regular DEPENDS.

This needs to be able to be installed against any nodejs version, and
can be as no native modules are used.  Bump PKGREVISION.
   2018-07-03 07:03:44 by Adam Ciarcinski | Files touched by this commit (495)
Log message:
extend PYTHON_VERSIONS_ for Python 3.7
   2018-06-28 13:28:02 by Filip Hajny | Files touched by this commit (4)
Log message:
lang/npm: Set proper env for build/install, ensure FAKEHOME is used.
   2018-05-24 16:14:43 by Filip Hajny | Files touched by this commit (3) | Package updated
Log message:
Update lang/npm to 6.1.0.

- NEW FEATURE: npm audit fix
- OTHER NEW audit FEATURES
  - Add support for npm audit --json to print the report in JSON
    format.
  - Include number of audited packages in npm install summary output.
  - Overhaul audit install and detail output format.
- NEW FEATURE: GIT DEPS AND npm init <pkg>!
- FIX WRITE AFTER END ERROR
- DETECT CHANGES IN GIT SPECIFIERS
- OTHER BUGFIXES
  - When requesting the update of a direct dependency that was also a
    transitive dependency to a version incompatible with the
    transitive requirement and you had a lock-file but did not have a
    node_modules folder then npm would fail to provide a new copy of the
    transitive dependency, resulting in an invalid lock-file that could
    not self heal.
  - Cleanup output of npm ci summary report.
  - Node.js now has a test that scans for things that look like
    conflict markers in source code. This was triggering false
    positives on a fixture in a test of npm's ability to heal lockfiles
    with conflicts in them.
  - Make the new npm view work when the license field is an object
    instead of a string.
  - Add support for environments (like Docker) where the expected
    binary for opening external URLs is not available.
  - Fix a spurious colon in the new update notifier message and add
    support for the npm canary.
  - Infer a version range when a package.json has a dist-tag instead
    of a version range in one of its dependency specs. Previously,
    this would cause dependencies to be flagged as invalid.
  - Make sure scoped bundled deps are shown in the new publish
    preview, too.
  - Stop dropping size from metadata on npm cache verify.
  - Fix nested command aliases.
  - Make sure different versions of the Path env var on Windows all
    get node_modules/.bin prepended when running lifecycle scripts.