"Fossies" - the Fresh Open Source Software Archive

Member "Atom/resources/app/apm/node_modules/npm/changelogs/CHANGELOG-2.md" (25 Nov 2016, 263351 Bytes) of archive /windows/misc/atom-windows.zip:


As a special service "Fossies" has tried to format the requested source page into HTML format (assuming markdown format). Alternatively you can here view or download the uninterpreted source code file. A member file download can also be achieved by clicking within a package contents listing on the according byte size field.

v2.15.2 (2016-03-24):

It's always nice to see new contributors. 💚

This week sees another small release, but we're still chugging along on our Windows efforts.

There's also some small process changes to our LTS process relatively recently that you might wanna know about! 💁

For one, the 2.x branch was removed in favor of just lts. If you're making PRs exclusively against npm's LTS, please use that name from now on. 2.x was deleted.

Also, [@othiym23](https://github.com/othiym23) put some time into writing down our LTS process and policy. Check it out and ping us if you have questions or comments about it!

In general, we're trying to make sure all our policy and such for our contributors is written down, and we hope it makes it easier in general for y'all. Forrest is also working on a shiny new Contributor's Guide right now, but we'll link to that in the (near?) future, when it's ready to roll out.

TESTS

DOCS

v2.15.1 (2016-03-17):

SECURITY ADVISORY: BEARER TOKEN DISCLOSURE

This release includes the fix for a vulnerability that could cause the unintentional leakage of bearer tokens.

Here are details on this vulnerability and how it affects you.

DETAILS

Since 2014, npm’s registry has used HTTP bearer tokens to authenticate requests from the npm’s command-line interface. A design flaw meant that the CLI was sending these bearer tokens with every request made by logged-in users, regardless of the destination of their request. (The bearers only should have been included for requests made against a registry or registries used for the current install.)

An attacker could exploit this flaw by setting up an HTTP server that could collect authentication information, then use this authentication information to impersonate the users whose tokens they collected. This impersonation would allow them to do anything the compromised users could do, including publishing new versions of packages.

With the fixes we’ve released, the CLI will only send bearer tokens with requests made against a registry.

THINK YOU'RE AT RISK? REGENERATE YOUR TOKENS

If you believe that your bearer token may have been leaked, invalidate your current npm bearer tokens and rerun npm login to generate new tokens. Keep in mind that this may cause continuous integration builds in services like Travis to break, in which case you’ll need to update the tokens in your CI server’s configuration.

WILL THIS BREAK MY CURRENT SETUP?

Maybe.

npm’s CLI team believes that the fix won’t break any existing registry setups. Due to the large number of registry software suites out in the wild, though, it’s possible our change will be breaking in some cases.

If so, please file an issue describing the software you’re using and how it broke. Our team will work with you to mitigate the breakage.

CREDIT & THANKS

Thanks to Mitar, Will White & the team at Mapbox, Max Motovilov, and James Taylor for reporting this vulnerability to npm.

BACK TO YOUR REGULARLY SCHEDULED PROGRAMMING

Aside from that, it's another one of those releases again! Docs and tests, it turns out, have a pretty easy time getting into LTS releases, and boring is exactly how LTS should be. 💁

DOCS

TESTS

v2.15.0 (2016-03-10):

WHY IS THIS SEMVER-MINOR I THOUGHT THIS WAS LTS

A brief note about LTS this week!

npm, as you may know if you're using this 2.x branch, has an LTS process for releases. We also try and play nice with Node.js' own LTS release process. That means we generally try to avoid things like minor version bumps on our 2.x branch (which is also tagged lts in the dist-tags).

That said, we had a minor-bump update recently for npm@3.8.0 which added a maxsockets option to allow users to configure the number of concurrent sockets that npm would keep open at a time -- a setting that has the potential to help a bunch for people with fussy routers or internet connections that aren't very happy with Node.js applications' usual concurrency storm. This change was done to npm-registry-client, which we don't have a parallel LTS-tracking branch for.

After talking it over, we ended up deciding that this was a reasonable enough addition to LTS, even though it's technically a semver-minor bump, taking into account both its potential for bugfixing (specially on 2.x!) and the general hassle it would be to maintain another branch for npm-registry-client.

DOC PATCH IS HERE TOO

DEP UPDATES

v2.14.22 (2016-03-03):

This week is all documentation improvements. In case you hadn't noticed, we love doc patches. We love them so much, we give socks away if you submit documentation PRs!

These folks are all getting socks if they ask for them. The socks are super-sweet. Do you have yours yet? 👣

v2.14.21 (2016-02-25):

Good news, everyone! There's a new LTS release with a few shinies here and there!

USE THIS ONE INSTEAD

We had some cases where the versions of npm and node used in some scripting situations were different than the ideal, or what folks actually expected. These should be particularly helpful to our Windows friends! <3

SOCKS FOR THE SOCK GOD

INTERNAL TEST IMPROVEMENTS

The npm CLI team's time recently has been sunk into npm's many years of tech debt. Specifically, we've been working on improving the test suite. This isn't user visible, but in future should mean a more stable, easier to contribute to npm. Ordinarily we don't report these kinds of changes in the change log, but I thought I might share this week as this chunk is bigger than usual.

These patches were previously released for npm@3, and then ported back to npm@2 LTS.

v2.14.20 (2016-02-18):

Hope y'all are having a nice week! As usual, it's a fairly limited release. The most notable thing is some dependency updates that might help the Node.js CI setup for Windows run a little better, even if we have some work to do on that path length things, still.

WHITTLING AWAY AT PATH LENGTHS

So for all of you who don't know -- Node.js does, in fact, support long Windows paths. Unfortunately, depending on the tool and the Windows version, a lot of external tooling does not. This means, for example, that some (all?) versions of Windows Explorer can literally never delete npm from their system entirely because of deeply-nested npm dependencies. Which is pretty gnarly.

Incidentally, if you run into that in particularly, you can use rimraf to remove such files 💁.

The latest victim of this issue was the Node.js CI setup for testing on Windows, which uses some tooling or another that croaks on the usual path length limit for that OS: 255 characters.

This issue, of course, is largely not a problem as of npm@3, with its flat trees, but it still occasionally and viciously bites LTS.

We've taken another baby step towards alleviating this in this release by updating a couple of dependencies that were preventing npmlog from deduping, and then doing a dedupe on that and gauge. Hopefully it helps.

OTHER DEP STUFF

@wyze, DOCUMENTATION HERO OF THE PEOPLE, GETS THEIR OWN HEADER

v2.14.19 (2016-02-11):

Really tiny micro-release this week! The main thing to note is a dependency update that means we no longer have graceful-fs@3 in our dependency tree. This has some implications for being able to run on future Node.js releases, so better to get this out the door. 😁

DEPS

DOCS

v2.14.18 (2016-02-04):

Clearly our docs are perfect after all those wonderful PRs, 'cause this week's gonna be all about dependency updates. Note: There is a small security-related fix included here!

OTHER DEPENDENCY UPDATES

v2.14.17 (2016-01-28):

Another week, another small LTS release!

BETTER ERROR REPORTING YAY

So as it turns out, when stuff goes wrong, it's actually nice to give people a better clue rather than just say "oh well 😏".

EVERYONE WANTS THOSE NPM SOCKS, GEEZE

Did you know that you can get npm socks for contributing to our docs? I bet these people do, and now so do you!

v2.14.16 (2016-01-21):

Good to see you all again! It's been a while since we had an LTS release, and the team continues to work hard to both get the issue tracker under control, and get our test suite to be awesome and reliable.

This is also the first LTS release of this year.

We're gonna have an interesting time -- most of our focus this year will be around stability and maintainability of the CLI, so you might actually end up seeing a number of updates even over here, just for the sake of making sure we're stable, that bugs get fixed, and tests have proper coverage.

What better way to start this effort, then, than getting Travis tests green, fix a few things here and there, and tweak a bunch of documentation? 😁

FIX ALL THE BUGS AND TWEAK ALL THE THINGS

DOCS DOCS DOCS

We got a TON of lovely documentation patches, too! Thanks all for submitting!

I REALLY LIKE GREEN. CAN YOU TELL?

So Travis is all green now on npm@2, thanks to the removal of nock and a few other test suite tweaks. This is a fantastic step towards making sure we can all have confidence in our test suite! 🎉

v2.14.15 (2015-12-10):

Did you know that Bob Ross reached the rank of master sergeant in the US Air Force before becoming perhaps the most soothing painter of all time?

TWO HAPPY LITTLE BUG FIXES

NOW PAINT IN SOME NICE DOCS CHANGES

LAND YOUR DEPENDENCY UPGRADES IN PAIRS SO EVERYONE HAS A FRIEND

v2.14.14 (2015-12-03):

FIX URL IN LICENSE

The license incorrectly identified the registry URL as registry.npmjs.com and this has been corrected to registry.npmjs.org.

NO MORE MD5

We updated modules that had been using MD5 for non-security purposes. While this is perfectly safe, if you compile Node in FIPS-compliance mode it will explode if you try to use MD5. We've replaced MD5 with Murmur, which conveys our intent better and is faster to boot.

DEPENDENCY UPDATES

v2.14.13 (2015-11-25):

THE npm CLI !== THE npm REGISTRY !== npm, INC.

npm-the-CLI is licensed under the terms of the Artistic License 2.0, which is a liberal open-source license that allows you to take this code and do pretty much whatever you like with it (that is, of course, not legal language, and if you're doing anything with npm that leaves you in doubt about your legal rights, please seek the review of qualified counsel, which is to say, not members of the CLI team, none of whom have passed the bar, to my knowledge). At the same time the primary registry the CLI uses when looking up and downloading packages is a commercial service run by npm, Inc., and it has its own Terms of Use.

Aside from clarifying the terms of use (and trying to make sure they're more widely known), the only recent changes to npm's licenses have been making the split between the CLI and registry clearer. You are still free to do whatever you like with the CLI's source, and you are free to view, download, and publish packages to and from registry.npmjs.org, but now the existing terms under which you can do so are more clearly documented. Aside from the two commits below, see also the release notes for npm@2.14.11, which is where the split between the CLI's code and the terms of use for the registry was first made more clear.

EASE UP ON WINDOWS BASH USERS

It turns out that a fair number of us use bash on Windows (through MINGW or bundled with Git, plz – Cygwin is still a bridge too far, for both npm and Node.js). [@jakub-g](https://github.com/jakub-g) did us all a favor and relaxed the check for npm completion to support MINGW bash. Thanks, Jakub!

MAKE NODE-GYP A LITTLE BLUER

WE LIKE SPDX AND ALL BUT IT'S NOT ACTUALLY A DIRECT DEP, SORRY

A BOUNTEOUS THANKSGIVING CORNUCOPIA OF DOC TWEAKS

These are great! Keep them coming! Sorry for letting them pile up so deep, everybody. Also, a belated Thanksgiving to our Canadian friends, and a happy Thanksgiving to all our friends in the USA.

v2.14.12 (2015-11-19):

TEEN ORCS AT THE GATES

This week heralds the general release of the primary npm registry's new support for private packages for organizations. For many potential users, it's the missing piece needed to make it easy for you to move your organization's private work onto npm. And now it's here! The functionality to support it has been in place in the CLI for a while now, thanks to [@zkat](https://github.com/zkat)'s hard work.

During our final testing before the release, our ace support team member [@snopeks](https://github.com/snopeks) noticed that there had been some drift between the CLI team's implementation and what npm was actually preparing to ship. In the interests of everyone having a smooth experience with this extremely useful new feature, we quickly made a few changes to square up the CLI and the web site experiences.

A BRIEF NOTE ON NPM'S BACKWARDS COMPATIBILITY

We don't often have much to say about the changes we make to our internal testing and tooling, but I'm going to take this opportunity to reiterate that npm tries hard to maintain compatibility with a wide variety of Node versions. As this change shows, we want to ensure that npm works the same across:

Contributors who send us pull requests often notice that it's very rare that our tests pass across all of those versions (ironically, almost entirely due to the packages we use for testing instead of any issues within npm itself). We're currently beginning an effort, lasting the rest of 2015, to clean up our test suite, and not only get it passing on all of the above versions of Node.js, but working solidly on Windows as well. This is a compounding form of technical debt that we're finally paying down, and our hope is that cleaning up the tests will produce a more robust CLI that's a lot easier to write patches for.

TYPOS IN THE LICENSE, OH MY

v2.14.11 (2015-11-12):

ASK FOR NOTHING, GET LATEST

When you run npm install foo, you probably expect that you'll get the latest version of foo, whatever that is. And good news! That's what this change makes it do.

We think this is what everyone wants, but if this causes problems for you, we want to know! If it proves problematic for people we will consider reverting it (preferrably before this becomes npm@latest).

Previously, when you ran npm install foo we would act as if you typed npm install foo@*. Now, like any range-type specifier, in addition to matching the range, it would also have to be <= the value of the latest dist-tag. Further, it would exclude prerelease versions from the list of versions considered for a match.

This worked as expected most of the time, unless your latest was a prerelease version, in which case that version wouldn't be used, to everyone's surprise.

LICENSE CLARIFICATION

CLOSER TO GREEN TRAVIS

A BUG FIX

A DEPENDENCY UPGRADE

v2.14.10 (2015-11-05):

There's nothing in here that that isn't in the npm@3.4.0 release notes, but all of the commit shasums have been adjusted to be correct. Enjoy!

BUG FIXES VIA DEPENDENCY UPDATES

DOCUMENTATION FIXES

DEPENDENCY UPDATES FOR THEIR OWN SAKE

v2.14.9 (2015-10-29):

There's still life in npm@2, but for now, enjoy these dependency upgrades! Also, [@othiym23](https://github.com/othiym23) says hi! waves [@zkat](https://github.com/zkat) has her hands full, and [@iarna](https://github.com/iarna)'s handling npm@3, so I'm dealing with npm@2 and the totally nonexistent weird bridge npm@1.4 LTS release that may or may not be happening this week.

CAN'T STOP WON'T STOP UPDATING THOSE DEPENDENCIES

DEVDEPENDENCIES TOO, I GUESS, IT'S COOL

v2.14.8 (2015-10-08):

SLOWLY RECOVERING FROM FEELINGS

OS&F is definitely my favorite convention I've gone to. Y'all should check it out next year! Rebecca and Kat are back, although Forrest is out at &yet conf.

This week sees another tiny LTS release with non-code-related patches -- just CI/release things.

Meanwhile, have you heard? npm@3 is much faster now! Go upgrade with npm install -g npm@latest and give it a whirl if you haven't already!

IF YOU CHANGE CASING ON A FILE, YOU ARE NOT MY FRIEND

Seriously. I love me some case-sensitive filesystems, but a lot of us have to deal with git and its funky support for case normalizing systems. Have mercy and just don't bother if all you're changing is casing, please? Otherwise, I have to do this little dance to prevent horrible conflicts.

IDK. OUR CI DOESN'T EVEN FULLY WORK YET BUT SURE

Either way, it's nice to make sure we're running stuff on the latest Node. 4.2 is getting released very soon, though (this week?), and that'll be the first official LTS release!

v2.14.7 (2015-10-01):

MORE RELEASE STAGGERING?!

Hi all, and greetings from Open Source & Feelings!

So we're switching gears a little with how we handle our weekly releases: from now on, we're going to stagger release weeks between dependency bumps and regular patches. So, this week, aside from a doc change, we'll be doing only version bumps. Expect actual patches next week!

TOTALLY FOLLOWING THE RULES ALREADY

So I snuck this in, because it's our own [@snopeks](https://github.com/snopeks)' first contribution to the main npm repo. She's been helping with building support documents for Orgs, and contributed her general intro guide to the new feature so you can read it with npm help orgs right in your terminal!

JUST. ONE. MORE.

OKAY ACTUALLY THE THING I WAS SUPPOSED TO DO

Anyway -- here's your version bump! :)

v2.14.6 (2015-09-24):

¯\_(ツ)_/¯

Since 2.x is LTS now, you can expect a slowdown in overall release sizes. On top of that, we had our all-company-npm-internal-conf thing on Monday and Tuesday so there wasn't really time to do much at all.

Still, we're bringing you a couple of tiny little changes this week!

v2.14.5 (2015-09-17):

NPM IS DEAD. LONG LIVE NPM

That's right folks. As of this week, npm@next is npm@3, which means it'll be npm@latest next week! There's some really great shiny new things over there, and you should really take a look.

Many kudos to [@iarna](https://github.com/iarna) for her hard work on npm@3!

Don't worry, we'll keep 2.x around for a while (as LTS), but you won't see many, if any, new features on this end. From now on, we're going to use latest-2 and next-2 as the dist tags for the npm@2 branch.

OKAY THAT'S FINE CAN I DEPRECATE THINGS NOW?

Yes! Specially if you're using scoped packages. Apparently, deprecating them never worked, but that should be better now. :)

WTF IS node-waf

idk. Some old thing. We don't talk about it anymore.

THE graceful-fs AND node-gyp SAGA CONTINUES

Last week had some sweeping graceful-fs upgrades, and this takes care of one of the stragglers, as well as bumping node-gyp. node@4 users might be excited about this, or even node@<4 users who previously had to cherry-pick a bunch of patches to get the latest npm working.

DEPS! DEPS! MORE DEPS! OK STOP DEPS

v2.14.4 (2015-09-10):

THE GREAT NODEv4 SAGA

So Node 4 is out now and that's going to involve a number of things over in npm land. Most importantly, it's the last major release that will include the 2.x branch of npm. That also means that 2.x is going to go into LTS mode in the coming weeks -- once npm@3 becomes our official latest release. You can most likely expect Node 5 to include npm@3 by default, whenever that happens. We'll go into more detail about LTS at that point, as well, so keep your eyes peeled for announcements!

NODE IS DEAD. LONG LIVE NODE!

Node 4 being released means that a few things that used to be floating patches are finally making it right into npm proper. This week, we've got two such updates, both to dependencies:

[@thefourtheye](https://github.com/thefourtheye) was kind enough to submit a bunch of PRs to npm's dependencies updating them to graceful-fs@4.1.2, which mainly makes it so we're no longer monkey-patching fs. The following are all updates related to this:

OTHER PATCHES

MORE DEPENDENCIES!

DOC UPDATES

v2.14.3 (2015-09-03):

TEAMS AND ORGS STILL BETA. CLI CODE STILL SOLID.

Our closed beta for Teens and Orcs is happening! The web team is hard at work making sure everything looks pretty and usable and such. Once we fix things stemming from that beta, you can expect the feature to be available publicly. Some time after that, it'll even be available for free for FOSS orgs. It'll Be Done When It's Done™.

OH GOOD, I CAN ACTUALLY UPSTREAM NOW

Looks like last week's release foiled our own test suite when trying to upstream it to Node! Just a friendly reminder that no, .npmrc is no longer included then you pack/release a package! [@othiym23](https://github.com/othiym23) and [@isaacs](https://github.com/isaacs) managed to suss the really strange test failures resulting from that, and we've patched it in this release.

TALKING ABOUT THE CHANGELOG IN THE CHANGELOG IS LIKE, POMO OR SOMETHING

devDependencies UPDATED

No actual dep updates this week, but we're bumping a couple of devDeps:

v2.14.2 (2015-08-27):

GETTING THAT PESKY preferGlobal WARNING RIGHT

So apparently the preferGlobal option hasn't quite been warning correctly for some time. But now it should be all better! tl;dr: if you try and install a dependency with preferGlobal: true, and it's not already in your package.json, you'll get a warning that the author would really rather you install it with --global. This should prevent Windows PowerShell from thinking npm has failed just because of a benign warning.

BUMP +1

OTHER STUFF THAT'S RELEVANT

v2.14.1 (2015-08-20):

SECURITY FIX

There are patches for two information leaks of moderate severity in npm@2.14.1:

  1. In some cases, npm was leaking sensitive credential information into the child environment when running package and lifecycle scripts. This could lead to packages being published with files (most notably config.gypi, a file created by node-gyp that is a cache of environmental information regenerated on every run) containing the bearer tokens used to authenticate users to the registry. Users with affected packages have been notified (and the affected tokens invalidated), and now npm has been modified to not upload files that could contain this information, as well as scrubbing the sensitive information out of the environment passed to child scripts.
  2. Per-package .npmrc files are used by some maintainers as a way to scope those packages to a specific registry and its credentials. This is a reasonable use case, but by default .npmrc was packed into packages, leaking those credentials. npm will no longer include .npmrc when packing tarballs.

If you maintain packages and believe you may be affected by either of the above scenarios (especially if you've received a security notification from npm recently), please upgrade to npm@2.14.1 as soon as possible. If you believe you may have inadvertently leaked your credentials, upgrade to npm@2.14.1 on the affected machine, and run npm logout and then npm login. Your access tokens will be invalidated, which will eliminate any risk posed by tokens inadvertently included in published packages. We apologize for the inconvenience this causes, as well as the oversight that led to the existence of this issue in the first place.

Huge thanks to [@ChALkeR](https://github.com/ChALkeR) for bringing these issues to our attention, and for helping us identify affected packages and maintainers. Thanks also to the Node.js security working group for their coördination with the team in our response to this issue. We appreciate everybody's patience and understanding tremendously.

BETTER WINDOWS INTEGRATION, ONE STEP AT A TIME

IT SEEMED LIKE AN IDEA AT THE TIME

A SINGLE LONELY DEPENDENCY UPGRADE

v2.14.0 (2015-08-13):

IT'S HERE! KINDA!

This release adds support for teens and orcs (err, teams and organizations) to the npm CLI! Note that the web site and registry-side features of this are still not ready for public consumption.

A beta should be starting in the next couple of weeks, and the features themselves will become public once all that's done. Keep an eye out for more news!

All of these changes were done under #9011:

A FEW EXTRA VERSION BUMPS

ALSO A DOC FIX

v2.13.5 (2015-08-07):

This is another quiet week for the npm@2 release. [@zkat](https://github.com/zkat) has been working hard on polishing the CLI bits of the registry's new feature to support direct management of teams and organizations, and [@iarna](https://github.com/iarna) continues to work through the list of issues blocking the general release of npm@3, which is looking more and more solid all the time.

[@othiym23](https://github.com/othiym23) and [@zkat](https://github.com/zkat) have also been at this week's Node.js / io.js collaborator summit, both as facilitators and participants. This is a valuable opportunity to get some face time with other contributors and to work through a bunch of important discussions, but it does leave us feeling kind of sleepy. Running meetings is hard!

What does that leave for this release? A few of the more tricky bug fixes that have been sitting around for a little while now, and a couple dependency upgrades. Nothing too fancy, but most of these were contributed by developers like you, which we think is swell. Thanks!

BUG FIXES

NOPE, NOT DONE WITH DEPENDENCY UPDATES

v2.13.4 (2015-07-30):

JULY ENDS ON A FAIRLY QUIET NOTE

Hey everyone! I hope you've had a great week. We're having a fairly small release this week while we wrap up Teams and Orgs (or, as we've taken to calling it internally, Teens and Orcs).

In other exciting news, a bunch of us are gonna be at the Node.js Collaborator Summit, and you can also find us at wafflejs on Wednesday. Hopefully we'll be seeing some of you there. :)

THE PATCH!!!

So here it is. The patch. Hope it helps. (Thanks, [@ktarplee](https://github.com/ktarplee)!)

OH AND THERE'S A DEV DEPENDENCIES UPDATE

Hooray.

v2.13.3 (2015-07-23):

I'M SAVING THE GOOD JOKES FOR MORE INTERESTING RELEASES

It's pretty hard to outdo last week's release buuuuut~ I promise I'll have a treat when we release our shiny new Teams and Organizations feature! :D (Coming Soon™). It'll be a real gem.

That means it's a pretty low-key release this week. We got some nice documentation tweaks, a few bugfixes, and other such things, though!

Oh, and a bunch of version bumps. Thanks, semver!

IT'S THE LITTLE THINGS THAT MATTER

WHAT DOES THIS BUTTON DO?

There's a couple of doc updates! The last one might be interesting.

THE SEMVER MAJOR VERSION APOCALYPSE IS UPON US

Basically, semver is up to @5, and that meant we needed to go in an update a bunch of our dependencies manually. node-gyp is still pending update, since it's not ours, though!

*BUMP*

And some other version bumps for good measure.

v2.13.2 (2015-07-16):

HOLD ON TO YOUR TENTACLES... IT'S NPM RELEASE TIME!

Kat: Hooray! Full team again, and we've got a pretty small patch release this week, about everyone's favorite recurring issue: git URLs!

Rebecca: No Way! Again?

Kat: The ride never ends! In the meantime, there's some fun, exciting work in the background to get orgs and teams out the door. Keep an eye out for news. :)

Rebecca: And make sure to keep an eye out for patches for the super-fresh npm@3!

LET'S GIT INKY

Rebecca: So what's this about another git URL issue?

Kat: Welp, I apparently broke backwards-compatibility on what are actually invalid git+https URLs! So I'm making it work, but we're gonna deprecate URLs that look like git+https://user@host:path/is/here.

Rebecca: What should we use instead?!

Kat: Just do me a solid and use git+ssh://user@host:path/here or git+https://user@host/absolute/https/path instead!

NEWS FLASH! DOCUMENTATION IMPROVEMENTS!

STAY FRESH~

Kat: That's it for npm core changes!

Rebecca: Great! Let's look at the fresh new dependencies, then!

Kat: See you all next week!

Both: Stay Freeesh~

(some cat form of Forrest can be seen snoring in the corner)

v2.13.1 (2015-07-09):

KAUAI WAS NICE. I MISS IT.

But Forrest's still kinda on vacation, and not just mentally, because he's hanging out with the fine meatbags at CascadiaFest. Enjoy this small bug release.

MAKE OURSELVES HAPPY

MAKE TRAVIS HAPPY

MAKE npm outdated HAPPY

There are new versions of strip-ansi and ansi-regex, but npm only uses them indirectly, so we pushed them down into their dependencies where they can get updated at their own pace.

v2.13.0 (2015-07-02):

FORREST IS OUT! LET'S SNEAK IN ALL THE THINGS!

Well, not everything. Just a couple of goodies, like the new npm ping command, and the ability to add files to the commits created by npm version with the new version hooks. There's also a couple of bugfixes in npm itself and some of its dependencies. Here we go!

YES HELLO THIS IS NPM REGISTRY SORRY NO DOG HERE

Yes, that's right! We now have a dedicated npm ping command. It's super simple and super easy. You ping. We tell you whether you pinged right by saying hello right back. This should help out folks dealing with things like proxy issues or other registry-access debugging issues. Give it a shot!

This addresses #5750, and will help with the npm doctor stuff described in #6756.

I'VE WANTED THIS FOR version SINCE LIKE LITERALLY FOREVER AND A DAY

Seriously! This patch lets you add files to the version commit before it's made, So you can add additional metadata files, more automated changes to package.json, or even generate CHANGELOG.md automatically pre-commit if you're into that sort of thing. I'm so happy this is there I can't even. Do you have other fun usecases for this? Tell [npmbot (@npmjs)](http://twitter.com/npmjs) about it!

ALL YOUR FILE DESCRIPTORS ARE BELONG TO US

We've had problems in the past with things like EMFILE errors popping up when trying to install packages with a bunch of dependencies. Isaac patched up graceful-fs to handle this case better, so we should be seeing fewer of those.

READ THE FINE DOCS. THEY'VE IMPROVED

MORE NUMBERS! MORE VALUE!

OH AND ONE MORE THING

v2.12.1 (2015-06-25):

HEY WHERE DID EVERYBODY GO

I keep hearing some commotion. Is there something going on? Like, a party or something? Anyway, here's a small release with at least two significant bug fixes, at least one of which some of you have been waiting for for quite a while.

REMEMBER WHEN I SAID "REMEMBER WHEN I SAID THAT THING ABOUT PERMISSIONS?"?

npm@2.12.0 has a change that introduces a fix for a permissions problem whereby the _locks directory in the cache directory can up being owned by root. The fix in 2.12.0 takes care of that problem, but introduces a new problem for Windows users where npm tries to call process.getuid(), which doesn't exist on Windows. It was easy enough to fix (but more or less impossible to test, thanks to all the external dependencies involved with permissions and platforms and whatnot), but as a result, Windows users might want to skip npm@2.12.0 and go straight to npm@2.12.1. Sorry about that!

WHEW! ALL DONE FIXING GIT FOREVER!

New npm CLI team hero [@zkat](https://github.com/zkat) has finally (FINALLY) fixed the regression somebody (hi!) introduced a couple months ago whereby git URLs of the format git+ssh://user@githost.com:org/repo.git suddenly stopped working, and also started being saved (and cached) incorrectly. I am 100% sure there are absolutely no more bugs in the git caching code at all ever. Mm hm. Yep. Pretty sure. Maybe. Hmm... I hope.

Sighs audibly.

Let us know if we broke something else with this fix.

YEP, THERE ARE STILL DEPENDENCY UPGRADES

v2.12.0 (2015-06-18):

REMEMBER WHEN I SAID THAT THING ABOUT PERMISSIONS?

About a million people have filed issues related to having a tough time using npm after they've run npm once or twice with sudo. "Don't worry about it!" I said. "We've fixed all those permissions problems ages ago! Use this one weird trick and you'll never have to deal with this again!"

Well, uh, if you run npm with root the first time you run npm on a machine, it turns out that the directory npm uses to store lockfiles ends up being owned by the wrong user (almost always root), and that can, well, it can cause problems sometimes. By which I mean every time you run npm without being root it'll barf with EACCES errors. Whoops!

This is an obnoxious regression, and to prevent it from recurring, we've made it so that the cache, cached git remotes, and the lockfile directories are all created and maintained using the same utilty module, which not only creates the relevant paths with the correct permissions, but will fix the permissions on those directories (if it can) when it notices that they're broken. An npm install run as root ought to be sufficient to fix things up (and if that doesn't work, first tell us about it, and then run sudo chown -R $(whoami) $HOME/.npm)

Also, I apologize for inadvertently gaslighting any of you by claiming this bug wasn't actually a bug. I do think we've got this permanently dealt with now, but I'll be paying extra-close attention to permissions issues related to the cache for a while.

I WENT TO NODECONF AND ALL I GOT WAS THIS LOUSY SPDX T-SHIRT

That's not literally true. We spent very little time discussing SPDX, [@kemitchell](https://github.com/kemitchell) is a champ, and I had a lot of fun playing drum & bass to a mostly empty Boogie Barn and only ended up with one moderately severe cold for my pains. Another winner of a NodeConf! (I would probably wear a SPDX T-shirt if somebody gave me one, though.)

A bunch of us did have a spirited discussion of the basics of open-source intellectual property, and the convergence of me, [@kemitchell](https://github.com/kemitchell), and [@jandrieu](https://github.com/jandrieu) in one place allowed us to hammmer out a small but significant issue that had been bedeviling early adopters of the new SPDX expression syntax in package.json license fields: how to deal with packages that are left without a license on purpose.

Refer to the docs for the specifics, but the short version is that instead of using LicenseRef-LICENSE for proprietary licenses, you can now use either UNLICENSED if you want to make it clear that you don't want your software to be licensed (and want npm to stop warning you about this), or SEE LICENSE IN <filename> if there's a license with custom text you want to use. At some point in the near term, we'll be updating npm to verify that the mentioned file actually exists, but for now you're all on the honor system.

SMALLISH BUG FIXES

SMALLERISH DOCUMENTATION TWEAKS

WELL, I GUESS THERE ARE MORE DEPENDENCY UPGRADES

v2.11.3 (2015-06-11):

This was a very quiet week. This release was done by [@iarna](https://github.com/iarna), while the rest of the team hangs out at NodeConf Adventure!

TESTS IN 0.8 FAIL LESS

THE TREADMILL OF UPDATES NEVER CEASES

v2.11.2 (2015-06-04):

Another small release this week, brought to you by the latest addition to the CLI team, [@zkat](https://github.com/zkat) (Hi, all!)

Mostly small documentation tweaks and version updates. Oh! And npm outdated is actually sorted now. Rejoice!

It's gonna be a while before we get another palindromic version number. Enjoy it while it lasts. :3

QUALITY OF LIFE HAS NEVER BEEN BETTER

WORDS HAVE NEVER BEEN QUITE THIS READABLE

VERSION NUMBERS HAVE NEVER BEEN BIGGER

v2.11.1 (2015-05-28):

This release brought to you from poolside at the Omni Amelia Island Resort and JSConf 2015, which is why it's so tiny.

CONFERENCE WIFI CAN'T STOP THESE BUG FIXES

MY (VIRGIN) PINA COLADA IS GETTING LOW, BETTER UPGRADE THESE DEPENDENCIES

v2.11.0 (2015-05-21):

For the first time in a very long time, we've added new events to the life cycle used by npm run-script. Since running npm version (major|minor|patch) is typically the last thing many developers do before publishing their updated packages, it makes sense to add life cycle hooks to run tests or otherwise preflight the package before doing a full publish. Thanks, as always, to the indefatigable [@watilde](https://github.com/watilde) for yet another great usability improvement for npm!

FEATURELETS

BUG FIXES

DOCUMENTATION IMPROVEMENTS

DEPENDENCY UPDATES! ALWAYS AND FOREVER!

LICENSE FILES FOR THE LICENSE GOD

SPDX LICENSE UPDATES

v2.10.1 (2015-05-14):

BUG FIXES & DOCUMENTATION TWEAKS

DEPENDENCY UPDATES! STILL! MORE! AGAIN!

v2.10.0 (2015-05-8):

THE IMPLICATIONS ARE MORE PROFOUND THAN THEY APPEAR

If you've done much development in The Enterprise®™, you know that keeping track of software licenses is far more important than one might expect / hope / fear. Tracking licenses is a hassle, and while many (if not most) of us have (reluctantly) gotten around to setting a license to use by default with all our new projects (even if it's just WTFPL), that's about as far as most of us think about it. In big enterprise shops, ensuring that projects don't inadvertently use software with unacceptably encumbered licenses is serious business, and developers spend a surprising (and appalling) amount of time ensuring that licensing is covered by writing automated checkers and other license auditing tools.

The Linux Foundation has been working on a machine-parseable syntax for license expressions in the form of SPDX, an appropriately enterprisey acronym. IP attorney and JavaScript culture hero Kyle Mitchell has put a considerable amount of effort into bringing SPDX to JavaScript and Node. He's written spdx.js, a JavaScript SPDX expression parser, and has integrated it into npm in a few different ways.

For you as a user of npm, this means:

In general, this shouldn't be a big deal for anybody other than people trying to run their own automated license validators, but in the long run, if everybody switches to this format, many people's lives will be made much simpler. I think this is an important improvement for npm and am very thankful to Kyle for taking the lead on this. Also, even if you think all of this is completely stupid, just choose a license anyway. Future you will thank past you someday, unless you are djb, in which case you are djb, and more power to you.

As a corollary to the previous changes, I've put some work into making npm install spew out fewer pointless warnings about missing values in transitive dependencies. From now on, npm will only warn you about missing READMEs, license fields, and the like for top-level projects (including packages you directly install into your application, but we may relax that eventually).

Practically nobody liked having those warnings displayed for child dependencies, for the simple reason that there was very little that anybody could do about those warnings, unless they happened to be the maintainers of those dependencies themselves. Since many, many projects don't have SPDX-compliant licenses, the number of warnings reached a level where they ran the risk of turning into a block of visual noise that developers (read: me, and probably you) would ignore forever.

So I fixed it. If you still want to see the messages about child dependencies, they're still there, but have been pushed down a logging level to info. You can display them by running npm install -d or npm install --loglevel=info.

BUG FIXES

v2.9.1 (2015-04-30):

WOW! MORE GIT FIXES! YOU LOVE THOSE!

The first item below is actually a pretty big deal, as it fixes (with a one-word change and a much, much longer test case (thanks again, [@iarna](https://github.com/iarna))) a regression that's been around for months now. If you're depending on multiple branches of a single git dependency in a single project, you probably want to check out npm@2.9.1 and verify that things (again?) work correctly in your project.

DOCUMENTATION FIXES AND TWEAKS

These changes may seem simple and small (except Lin's fix to the package name restrictions, which was more an egregious oversight on our part), but cleaner documentation makes npm significantly more pleasant to use. I really appreciate all the typo fixes, clarifications, and formatting tweaks people send us, and am delighted that we get so many of these pull requests. Thanks, everybody!

ENROBUSTIFICATIONMENT

DEPENDENCY UPDATES WAIT FOR NO SOPHONT

v2.9.0 (2015-04-23):

This week was kind of a breather to concentrate on fixing up the tests on the multi-stage branch, and not mess with git issues for a little while. Unfortunately, There are now enough severe git issues that we'll probably have to spend another couple weeks tackling them. In the meantime, enjoy these two small features. They're just enough to qualify for a semver-minor bump:

NANOFEATURES

OTHER MINOR TWEAKS

DEPENDENCIES WILL NOT STOP UNTIL YOU ARE VERY SLEEPY

v2.8.4 (2015-04-16):

This is the fourth release of npm this week, so it's mostly just landing a few small outstanding PRs on dependencies and some tiny documentation tweaks. npm@2.8.3 is where the real action is.

v2.8.3 (2015-04-15):

TWO SMALL GIT TWEAKS

This is the last of a set of releases intended to ensure npm's git support is robust enough that we can stop working on it for a while. These fixes are small, but prevent a common crasher and clear up one of the more confusing error messages coming out of npm when working with repositories hosted on git.

v2.8.2 (2015-04-14):

PEACE IN OUR TIME

npm has been having an issue with CouchDB's web server since the release of io.js and Node.js 0.12.0 that has consumed a huge amount of my time to little visible effect. Sam Mikes picked up the thread from me, and after a lot of effort figured out that ultimately there are probably a couple problems with the new HTTP Agent keep-alive handling in new versions of Node. In addition, npm-registry-client was gratuitously sending a body along with a GET request which was triggering the bugs. Sam removed about 10 bytes from one file in npm-registry-client, and this problem, which has been bugging us for months, completely went away.

In conclusion, Sam Mikes is great, and anybody using a private registry hosted on CouchDB should thank him for his hard work. Also, thanks to the community at large for pitching in on this bug, which has been around for months now.

v2.8.1 (2015-04-12):

CORRECTION: NPM'S GIT INTEGRATION IS DOING OKAY

A helpful bug report led to another round of changes to hosted-git-info, some additional test-writing, and a bunch of hands-on testing against actual private repositories. While the complexity of npm's git dependency handling is nearly fractal (because npm is very complex, and git is even more complex), it's feeling way more solid than it has for a while. We think this is a substantial improvement over what we had before, so give npm@2.8.1 a shot if you have particularly complex git use cases and let us know how it goes.

(NOTE: These changes mostly affect cloning and saving references to packages hosted in git repositories, and don't address some known issues with things like lifecycle scripts not being run on npm dependencies. Work continues on other issues that affect parity between git and npm registry packages.)

SCOPED DEPENDENCIES AND PEER DEPENDENCIES: NOT QUITE REESE'S

Big thanks to [@ewie](https://github.com/ewie) for identifying an issue with how npm was handling peerDependencies that were implicitly installed from the package.json files of scoped dependencies. This will be a moot point with the release of npm@3, but until then, it's important that peerDependency auto-installation work as expected.

MAKING IT EASIER TO WRITE NPM TESTS, VERSION 0.0.1

[@iarna](https://github.com/iarna) and I ([@othiym23](https://github.com/othiym23)) have been discussing a candidate plan for improving npm's test suite, with the goal of making it easier for new contributors to get involved with npm by reducing the learning curve necessary to be able to write good tests for proposed changes. This is the first substantial piece of that effort. Here's what the commit message for ed7e249 had to say about this work:

It's too difficult for npm contributors to figure out what the conventional style is for tests. Part of the problem is that the documentation in CONTRIBUTING.md is inadequate, but another important factor is that the tests themselves are written in a variety of styles. One of the most notable examples of this is the fact that many tests use fixture directories to store precooked test scenarios and package.json files.

This had some negative consequences:

All in all, the fixture directories were a major source of technical debt, and cleaning them up, while time-consuming, makes the whole test suite much more approachable, and makes it more likely that new tests written by outside contributors will follow a conventional style. To support that, all of the tests touched by this changed were cleaned up to pass the standard style checker.

And here's a little extra context from a comment I left on #7929:

One of the other things that encouraged me was looking at this presentation on technical debt from Pycon 2015, especially slide 53, which I interpreted in terms of difficulty getting new contributors to submit patches to an OSS project like npm. npm has a long ways to go, but I feel good about this change.

THE EVER-BEATING DRUM OF DEPENDENCY UPDATES

v2.8.0 (2015-04-09):

WE WILL NEVER BE DONE FIXING NPM'S GIT SUPPORT

If you look at the last release's release notes, you will note that they confidently assert that it's perfectly OK to force all GitHub URLs through the same git: -> git+ssh: fallback flow for cloning. It turns out that many users depend on git+https: URLs in their build environments because they use GitHub auth tokens instead of SSH keys. Also, in some cases you just want to be able to explicitly say how a given dependency should be cloned from GitHub.

Because of the way we resolved the inconsistency in GitHub shorthand handling before, this turned out to be difficult to work around. So instead of hacking around it, we completely redid how git is handled within npm and its attendant packages. Again. This time, we changed things so that normalize-package-data and read-package-json leave more of the git logic to npm itself, which makes handling shorthand syntax consistently much easier, and also allows users to resume using explicit, fully-qualified git URLs without npm messing with them.

Here's a summary of what's changed:

It is [@othiym23](https://github.com/othiym23)'s sincere hope that this will resolve all of the inconsistencies users were seeing with GitHub and git-hosted packages, but given the level of change here, that may just be a fond wish. Extra testing of this change is requested.

TEST FIXES FOR NODE 0.8

npm continues to get closer to being completely green on Travis for Node 0.8.

SMALL FIX AND DOC TWEAK

v2.7.6 (2015-04-02):

GIT MEAN, GIT TUFF, GIT ALL THE WAY AWAY FROM MY STUFF

Part of the reason that we're reluctant to take patches to how npm deals with git dependencies is that every time we touch the git support, something breaks. The last few releases are a case in point. npm@2.7.4 completely broke installing private modules from GitHub, and npm@2.7.5 fixed them at the cost of logging a misleading error message that caused many people to believe that their dependencies hadn't been successfully installed when they actually had been.

This all started from a desire to ensure that GitHub shortcut syntax is being handled correctly. The correct behavior is for npm to try to clone all dependencies on GitHub (whether they're specified with the GitHub organization/repository shortcut syntax or not) via the plain git: protocol first, and to fall back to using git+ssh: if git: doesn't work. Previously, sometimes npm would use git: and git+ssh: in some cases (most notably when using GitHub shortcut syntax on the command line), and use git+https: in others (when the GitHub shortcut syntax was present in package.json). This led to subtle and hard-to-understand inconsistencies, and we're glad that as of npm@2.7.6, we've finally gotten things to where they were before we started, only slightly more consistent overall.

We are now going to go back to our policy of being extremely reluctant to touch the code that handles Git dependencies.

OTHER SIGNIFICANT FIXES

SMALL FIXES AND DEPENDENCY UPGRADES

v2.7.5 (2015-03-26):

SECURITY FIXES

BUG FIXES

DEPENDENCY UPDATES

DOCUMENTATION FIXES

v2.7.4 (2015-03-20):

BUG FIXES

DEPENDENCY UPDATES

A NEW REGRESSION TEST

v2.7.3 (2015-03-16):

HAHA WHOOPS LIL SHINKWRAP ISSUE THERE LOL

v2.7.2 (2015-03-12):

NPM GASTROENTEROLOGY

LESS DRAMATIC CHANGES

DEPENDENCY REFRESH

v2.7.1 (2015-03-05):

GITSANITY

WHY DID THIS TAKE SO LONG.

BUGS & TWEAKS

E TYPSO & CLARFIICATIONS

dId yuo know that submiting fxies for doc tpyos is an exclelent way to get strated contriburting to a new open-saurce porject?

v2.7.0 (2015-02-26):

SOMETIMES SEMVER MEANS "SUBJECTIVE-EMPATHETIC VERSIONING"

For a very long time (maybe forever?), the documentation for npm run-script has said that npm restart will only call npm stop and npm start when there is no command defined as npm restart in package.json. The problem with this documentation is that npm run-script was apparently never wired up to actually work this way.

Until now.

If the patch below were landed on its own, free of context, it would be a breaking change. But, since the "new" behavior is how the documentation claims this feature has always worked, I'm classifying it as a patch-level bug fix. I apologize in advance if this breaks anybody's deployment scripts, and if it turns out to be a significant regression in practice, we can revert this change and move it to npm@3, which is allowed to make breaking changes due to being a new major version of semver.

A SMALL FEATURE WITH BIG IMPLICATIONS

[@WATILDE'S](https://github.com/watilde) NPM USABILITY CORNER

Following npm@2.6.1's unexpected fix of many of the issues with npm update -g simply by making --depth=0 the default for npm outdated, friend of npm [@watilde](https://github.com/watilde) has made several modest changes to npm's behavior that together justify bumping npm's minor version, as well as making npm significantly more pleasant to use:

SMALLER FEATURES AND FIXES

It turns out that quite a few pull requests had piled up on npm's issue tracker, and they included some nice small features and fixes:

DOCUMENTATION TWEAKS

DEPENDENCY UPDATES

v2.6.1 (2015-02-19):

v2.6.0 (2015-02-12):

A LONG-AWAITED GUEST

DEPRECATIONS

BUG FIXES & TWEAKS

Also typos and other documentation issues were addressed by [@rutsky](https://github.com/rutsky), [@imurchie](https://github.com/imurchie), [@marcin-wosinek](https://github.com/marcin-wosinek), [@marr](https://github.com/marr), [@amZotti](https://github.com/amZotti), and [@karlhorky](https://github.com/karlhorky). Thank you, everyone!

v2.5.1 (2015-02-06):

This release doesn't look like much, but considerable effort went into ensuring that npm's tests will pass on io.js 1.1.0 and Node 0.11.16 / 0.12.0 on both OS X and Linux.

NOTE: there are no actual changes to npm's code in npm@2.5.1. Only test code (and the upgrade of request to the latest version) has changed.

npm-registry-mock@1.0.0:

MINOR DEPENDENCY TWEAK

v2.5.0 (2015-01-29):

SMALL FEATURE I HAVE ALREADY USED TO MAINTAIN NPM ITSELF

BUG FIXES & TWEAKS

npm-registry-client@6.0.7:

v2.4.1 (2015-01-23):

bridge that doesn't meet in the middle

bridge that doesn't meet in the middle

Let's accentuate the positive: the dist-tag endpoints for npm dist-tag {add,rm,ls} are now live on the public npm registry.

v2.4.0 (2015-01-22):

REGISTRY 2: ACCESS AND DIST-TAGS

NOTE: This week's registry-2 commands are leading the implementation on registry.npmjs.org a little bit, so some of the following may not work for another week or so. Also note that npm access has documentation and subcommands that are not yet finished, because they depend on incompletely specified registry API endpoints. Things are coming together very quickly, though, so expect the missing pieces to be filled in the coming weeks.

NOT EXACTLY SELF-DEPRECATING

BUG FIX AND TINY FEATURE

v2.3.0 (2015-01-15):

REGISTRY 2: OH MY STARS! WHO AM I?

BETTER REGISTRY METADATA CACHING

HOW MUCH IS THAT WINDOWS IN THE DOGGY?

THRILLING BUG FIXES

v2.2.0 (2015-01-08):

v2.1.18 (2015-01-01):

v2.1.17 (2014-12-25):

merry npm xmas

Working with [@phated](https://github.com/phated), I discovered that npm still had some lingering race conditions around how it handles Git dependencies. The following changes were intended to remedy to these issues. Thanks to [@phated](https://github.com/phated) for all his help getting to the bottom of these.

Other changes:

v2.1.16 (2014-12-22):

v2.1.15 (2014-12-18):

v2.1.14 (2014-12-13):

v2.1.13 (2014-12-11):

v2.1.12 (2014-12-04):

v2.1.11 (2014-11-27):

v2.1.10 (2014-11-20):

v2.1.9 (2014-11-13):

v2.1.8 (2014-11-06):

v2.1.7 (2014-10-30):

v2.1.6 (2014-10-23):

v2.1.5 (2014-10-16):

OUTDATED DEPENDENCY CLEANUP JAMBOREE

v2.1.4 (2014-10-09):

TEST CLEANUP EXTRAVAGANZA:

v2.1.3 (2014-10-02):

BREAKING CHANGE FOR THE SQRT(i) PEOPLE ACTUALLY USING npm submodule:

BREAKING CHANGE IF YOU ARE FOR SOME REASON STILL USING NODE 0.6 AND YOU SHOULD NOT BE DOING THAT CAN YOU NOT:

Other changes:

v2.1.2 (2014-09-29):

v2.1.1 (2014-09-26):

v2.1.0 (2014-09-25):

NEW FEATURE:

Other changes:

v2.0.2 (2014-09-19):

v2.0.1 (2014-09-18):

v2.0.0 (2014-09-12):

BREAKING CHANGES:

Other changes:

v2.0.0-beta.3 (2014-09-04):

v2.0.0-beta.2 (2014-08-29):

SPECIAL LABOR DAY WEEKEND RELEASE PARTY WOOO

v2.0.0-beta.1 (2014-08-28):

v2.0.0-beta.0 (2014-08-21):

v2.0.0-alpha.7 (2014-08-14):

v2.0.0-alpha.6 (2014-08-07):

BREAKING CHANGE:

Other changes:

v2.0.0-alpha-5 (2014-07-22):

This release bumps up to 2.0 because of this breaking change, which could potentially affect how your package's scripts are run:

Other changes: