t4 icon indicating copy to clipboard operation
t4 copied to clipboard

Published 20 hours ago verified publisher icon quiltdata

Update npm to v6

Open renovate[bot] opened this issue 5 years ago • 1 comments

This PR contains the following updates:

Package Type Update Change
npm (source) engines major >=5 -> >=6.9.0

Release Notes

npm/cli

v6.9.0

Compare Source

FEATURES
BUGFIXES
DOCS
DEPENDENCIES

v6.8.0

Compare Source

This release includes an implementation of RFC #​10, documenting an optional field that can be used to specify the directory path for a package within a monorepo.

NEW FEATURES
BUGFIXES
DEPENDENCY BUMPS
MISC

v6.7.0

Compare Source

Hey y'all! This is a quick hotfix release that includes some important fixes to [email protected] related to the large rewrite/refactor. We're tagging it as a feature release because the changes involve some minor new features, and semver is semver, but there's nothing major here.

NEW FEATURES
  • 50463f58b Improve usage errors to npm org commands and add optional filtering to npm org ls subcommand. (@​zkat)
BUGFIXES
  • 4027070b0 Fix default usage printout for npm org so you actually see how it's supposed to be used. (@​zkat)
  • cfea6ea5b fix default usage message for npm hook (@​zkat)
DOCS
DEPENDENCY BUMPS

v6.6.0

Compare Source

REFACTORING OUT npm-REGISTRY-CLIENT

Today is an auspicious day! This release marks the end of a massive internal refactor to npm that means we finally got rid of the legacy npm-registry-client in favor of the shiny, new, window.fetch-like npm-registry-fetch.

Now, the installer had already done most of this work with the release of npm@5, but it turns out every other command still used the legacy client. This release updates all of those commands to use the new client, and while we're at it, adds a few extra goodies:

  • All OTP-requiring commands will now prompt. --otp is no longer required for dist-tag, access, et al.
  • We're starting to integrate a new config system which will eventually get extracted into a standalone package.
  • We now use libnpm for the API functionality of a lot of our commands! That means you can install a library if you want to write your own tooling around them.
  • There's now an npm org command for managing users in your org.
  • pacote now consumes npm-style configurations, instead of its own naming for various config vars. This will make it easier to load npm configs using libnpm.config and hand them directly to pacote.

There's too many commits to list all of them here, so check out the PR if you're curious about details:

NEW FEATURES
BUGFIXES
DOCS
DEPENDENCIES
TESTING
MISCELLANEOUS

v6.5.0

Compare Source

NEW FEATURES
BUGFIXES
DOCS UPDATES
DEPENDENCIES
MISCELLANEOUS

v6.4.1

Compare Source

BUGFIXES
DEPENDENCY BUMPS
DOCUMENTATION

v6.4.0

Compare Source

NEW FEATURES
  • 6e9f04b0b npm/cli#​8 Search for authentication token defined by environment variables by preventing the translation layer from env variable to npm option from breaking :_authToken. (@​mkhl)
  • 84bfd23e7 npm/cli#​35 Stop filtering out non-IPv4 addresses from local-addrs, making npm actually use IPv6 addresses when it must. (@​valentin2105)
  • 792c8c709 npm/cli#​31 configurable audit level for non-zero exit npm audit currently exits with exit code 1 if any vulnerabilities are found of any level. Add a flag of --audit-level to npm audit to allow it to pass if only vulnerabilities below a certain level are found. Example: npm audit --audit-level=high will exit with 0 if only low or moderate level vulns are detected. (@​lennym)
BUGFIXES
DEPENDENCY UPDATES

A very special dependency update event! Since the release of [email protected], an awkward version conflict that was preventing request from begin flattened was resolved. This means two things:

  1. We've cut down the npm tarball size by another 200kb, to 4.6MB
  2. npm audit now shows no vulnerabilities for npm itself!

Thanks, @​rvagg!

DOCUMENTATION

v6.3.0

Compare Source

This is basically the same as the prerelease, but two dependencies have been bumped due to bugs that had been around for a while.

v6.2.0

Compare Source

In case you missed it, we moved!. We look forward to seeing future PRs landing in npm/cli in the future, and we'll be chatting with you all in npm.community. Go check it out!

This final release of [email protected] includes a couple of features that weren't quite ready on time but that we'd still like to include. Enjoy!

FEATURES
FIXES
DEPENDENCY BUMPS
DOCS

v6.1.0

Compare Source

FIX WRITE AFTER END ERROR

First introduced in 5.8.0, this finally puts to bed errors where you would occasionally see Error: write after end at MiniPass.write.

DETECT CHANGES IN GIT SPECIFIERS
  • 0e1726c03 We can now determine if the commitid of a git dependency in the lockfile is derived from the specifier in the package.json and if it isn't we now trigger an update for it. (@​iarna)
OTHER BUGS
  • 442d2484f 2f0c88351 631d30a34 When requesting the update of a direct dependency that was also a transitive dependency to a version incompatible with the transitive requirement and you had a lock-file but did not have a node_modules folder then npm would fail to provide a new copy of the transitive dependency, resulting in an invalid lock-file that could not self heal. (@​iarna)
  • be5dd0f49 #​20715 Cleanup output of npm ci summary report. (@​legodude17)
  • 98ffe4adb Node.js now has a test that scans for things that look like conflict markers in source code. This was triggering false positives on a fixture in a test of npm's ability to heal lockfiles with conflicts in them. (@​iarna)
DEPENDENCY UPDATES

v6.0.1

Compare Source

AUDIT SHOULDN'T WAIT FOREVER

This will likely be reduced further with the goal that the audit process shouldn't noticibly slow down your builds regardless of your network situation.

Looking forward

We're still a way from having node@11, so now's a good time to ensure we don't warn about being used with it.

v6.0.0

Compare Source

Hey y'all! Here's another npm@6 release -- with node@10 around the corner, this might well be the last prerelease before we tag 6.0.0! There's two major features included with this release, along with a few miscellaneous fixes and changes.

EXTENDED npm init SCAFFOLDING

Thanks to the wonderful efforts of @​jdalton of lodash fame, npm init can now be used to invoke custom scaffolding tools!

You can now do things like npm init react-app or npm init esm to scaffold an npm package by running create-react-app and create-esm, respectively. This also adds an npm create alias, to correspond to Yarn's yarn create feature, which inspired this.

DEPENDENCY AUDITING

This version of npm adds a new command, npm audit, which will run a security audit of your project's dependency tree and notify you about any actions you may need to take.

The registry-side services required for this command to work will be available on the main npm registry in the coming weeks. Until then, you won't get much out of trying to use this on the CLI.

As part of this change, the npm CLI now sends scrubbed and cryptographically anonymized metadata about your dependency tree to your configured registry, to allow notifying you about the existence of critical security flaws. For details about how the CLI protects your privacy when it shares this metadata, see npm help audit, or read the docs for npm audit online. You can disable this altogether by doing npm config set audit false, but will no longer benefit from the service.

Renovate configuration

:date: Schedule: "before 3am on Monday" (UTC).

:vertical_traffic_light: Automerge: Disabled by config. Please merge this manually once you are satisfied.

:recycle: Rebasing: Whenever PR becomes conflicted, or if you modify the PR title to begin with "rebase!".

:no_bell: Ignore: Close this PR and you won't be reminded about this update again.

  • [ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot. View repository job log here.

renovate[bot] avatar Apr 24 '19 10:04 renovate[bot]