Look at that! A feature bump!
[email protected] was super-exciting not just because it used a bigger number than ever before, but also because it included a super shiny new command:
npm audit. Well, we've kept working on it since then and have some really nice improvements for it. You can expect more of them, and the occasional fix, in the next few releases as more users start playing with it and we get more feedback about what y'all would like to see from something like this.
I, for one, have started running it (and the new subcommand...) in all my projects, and it's one of those things that I don't know how I ever functioned -without- it! This will make a world of difference to so many people as far as making the npm ecosystem a higher-quality, safer commons for all of us.
This is also a good time to remind y'all that we have a new RFCs repository, along with a new process for them. This repo is open to anyone's RFCs, and has already received some great ideas about where we can take the CLI (and, to a certain extent, the registry). It's a great place to get feedback, and completely replaces feature requests in the main repo, so we won't be accepting feature requests there at all anymore. Check it out if you have something you'd like to suggest, or if you want to keep track of what the future might look like!
npm audit fix
This is the biggie with this release!
npm audit fix does exactly what it says on the tin. It takes all the actionable reports from your
npm audit and runs the installs automatically for you, so you don't have to try to do all that mechanical work yourself!
Note that by default,
npm audit fix will stick to semver-compatible changes, so you should be able to safely run it on most projects and carry on with your day without having to track down what breaking changes were included. If you want your (toplevel) dependencies to accept semver-major bumps as well, you can use
npm audit fix --force and it'll toss those in, as well. Since it's running the npm installer under the hood, it also supports
--only=dev flags, as well as things like
--package-lock-only, if you want more control over what it does.
Give it a whirl and tell us what you think! See
npm help audit for full docs!
npm audit fix subcommand to automatically fix detected vulnerabilities. (@zkat)
1854b1c7f #20568 Add support for
npm audit --json to print the report in JSON format. (@finnp)
85b86169d #20570 Include number of audited packages in
npm install summary output. (@zkat)
[email protected]: Overhaul audit install and detail output format. The new format is terser and fits more closely into the visual style of the CLI, while still providing you with the important bits of information you need. They also include a bit more detail on the footer about what actions you can take! (@zkat)
NEW FEATURE: GIT DEPS AND
npm init <pkg>!
Another exciting change that came with
[email protected] was the new
npm init command that allows for community-authored generators. That means you can, for example, do
npm init react-app and it'll one-off download, install, and run
create-react-app for you, without requiring or keeping around any global installs. That is, it basically just calls out to
The first version of this command only really supported registry dependencies, but now, @jdalton went ahead and extended this feature so you can use hosted git dependencies, and their shorthands.
So go ahead and do
npm init facebook/create-react-app and it'll grab the package from the github repo now! Or you can use it with a private github repository to maintain your organizational scaffolding tools or whatnot. ✨
FIX WRITE AFTER END ERROR
First introduced in 5.8.0, this finally puts to bed errors where you would occasionally see
Error: write after end at MiniPass.write.
DETECT CHANGES IN GIT SPECIFIERS
0e1726c03 We can now determine if the commitid of a git dependency in the lockfile is derived from the specifier in the package.json and if it isn't we now trigger an update for it. (@iarna)
631d30a34 When requesting the update of a direct dependency that was also a transitive dependency to a version incompatible with the transitive requirement and you had a lock-file but did not have a
node_modules folder then npm would fail to provide a new copy of the transitive dependency, resulting in an invalid lock-file that could not self heal. (@iarna)
be5dd0f49 #20715 Cleanup output of
npm ci summary report. (@legodude17)
98ffe4adb Node.js now has a test that scans for things that look like conflict markers in source code. This was triggering false positives on a fixture in a test of npm's ability to heal lockfiles with conflicts in them. (@iarna)
a41c0393c #20538 Make the new
npm view work when the license field is an object instead of a string. (@zkat)
eb7522073 #20582 Add support for environments (like Docker) where the expected binary for opening external URLs is not available. (@bcoe)
212266529 #20536 Fix a spurious colon in the new update notifier message and add support for the npm canary. (@zkat)
5ee1384d0 #20597 Infer a version range when a
package.json has a dist-tag instead of a version range in one of its dependency specs. Previously, this would cause dependencies to be flagged as invalid. (@zkat)
4fa68ae41 #20585 Make sure scoped bundled deps are shown in the new publish preview, too. (@zkat)
[email protected]: Stop dropping
size from metadata on
npm cache verify. (@jfmartinez)
91ef93691 #20513 Fix nested command aliases. (@mmermerkaya)
[email protected]: Make sure different versions of the
Path env var on Windows all get
node_modules/.bin prepended when running lifecycle scripts. (@laggingreflex)