Skip to content
This repository was archived by the owner on Jun 4, 2019. It is now read-only.

Update npm to v6 #460

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update npm to v6 #460

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Apr 24, 2019
edited
Loading

This PR contains the following updates:

Package Type Update Change
npm (source) engines major >=5 -> >=6.9.0

Release Notes

npm/cli

v6.9.0

Compare Source

FEATURES
BUGFIXES
DOCS
DEPENDENCIES

v6.8.0

Compare Source

This release includes an implementation of RFC #​10, documenting an optional field that can be used to specify
the directory path for a package within a monorepo.

NEW FEATURES
BUGFIXES
DEPENDENCY BUMPS
MISC

v6.7.0

Compare Source

Hey y'all! This is a quick hotfix release that includes some important fixes to
[email protected] related to the large rewrite/refactor. We're tagging it as a feature
release because the changes involve some minor new features, and semver is
semver, but there's nothing major here.

NEW FEATURES
  • 50463f58b
    Improve usage errors to npm org commands and add optional filtering to npm org ls subcommand.
    (@​zkat)
BUGFIXES
  • 4027070b0
    Fix default usage printout for npm org so you actually see how it's supposed
    to be used.
    (@​zkat)
  • cfea6ea5b
    fix default usage message for npm hook
    (@​zkat)
DOCS
DEPENDENCY BUMPS

v6.6.0

Compare Source

REFACTORING OUT npm-REGISTRY-CLIENT

Today is an auspicious day! This release marks the end of a massive internal
refactor to npm that means we finally got rid of the legacy
npm-registry-client in favor of the
shiny, new, window.fetch-like
npm-registry-fetch.

Now, the installer had already done most of this work with the release of
npm@5, but it turns out every other command still used the legacy client.
This release updates all of those commands to use the new client, and while
we're at it, adds a few extra goodies:

  • All OTP-requiring commands will now prompt. --otp is no longer required for dist-tag, access, et al.
  • We're starting to integrate a new config system which will eventually get extracted into a standalone package.
  • We now use libnpm for the API functionality of a lot of our commands! That means you can install a library if you want to write your own tooling around them.
  • There's now an npm org command for managing users in your org.
  • pacote now consumes npm-style configurations, instead of its own naming for various config vars. This will make it easier to load npm configs using libnpm.config and hand them directly to pacote.

There's too many commits to list all of them here, so check out the PR if you're
curious about details:

NEW FEATURES
BUGFIXES
DOCS
DEPENDENCIES
TESTING
MISCELLANEOUS

v6.5.0

Compare Source

NEW FEATURES
BUGFIXES
DOCS UPDATES
DEPENDENCIES
MISCELLANEOUS

v6.4.1

Compare Source

BUGFIXES
DEPENDENCY BUMPS
DOCUMENTATION

v6.4.0

Compare Source

NEW FEATURES
  • 6e9f04b0b
    npm/cli#​8
    Search for authentication token defined by environment variables by preventing
    the translation layer from env variable to npm option from breaking
    :_authToken.
    (@​mkhl)
  • 84bfd23e7
    npm/cli#​35
    Stop filtering out non-IPv4 addresses from local-addrs, making npm actually
    use IPv6 addresses when it must.
    (@​valentin2105)
  • 792c8c709
    npm/cli#​31
    configurable audit level for non-zero exit
    npm audit currently exits with exit code 1 if any vulnerabilities are found of any level.
    Add a flag of --audit-level to npm audit to allow it to pass if only vulnerabilities below a certain level are found.
    Example: npm audit --audit-level=high will exit with 0 if only low or moderate level vulns are detected.
    (@​lennym)
BUGFIXES
DEPENDENCY UPDATES

A very special dependency update event! Since the release of
[email protected], an awkward
version conflict that was preventing request from begin flattened was
resolved. This means two things:

  1. We've cut down the npm tarball size by another 200kb, to 4.6MB
  2. npm audit now shows no vulnerabilities for npm itself!

Thanks, @​rvagg!

DOCUMENTATION

v6.3.0

Compare Source

This is basically the same as the prerelease, but two dependencies have been
bumped due to bugs that had been around for a while.

v6.2.0

Compare Source

In case you missed it, we
moved!. We
look forward to seeing future PRs landing in
npm/cli in the future, and we'll be chatting with
you all in npm.community. Go check it out!

This final release of [email protected] includes a couple of features that weren't
quite ready on time but that we'd still like to include. Enjoy!

FEATURES
FIXES
DEPENDENCY BUMPS
DOCS

v6.1.0

Compare Source

FIX WRITE AFTER END ERROR

First introduced in 5.8.0, this finally puts to bed errors where you would
occasionally see Error: write after end at MiniPass.write.

DETECT CHANGES IN GIT SPECIFIERS
  • 0e1726c03
    We can now determine if the commitid of a git dependency in the lockfile is derived
    from the specifier in the package.json and if it isn't we now trigger an update for it.
    (@​iarna)
OTHER BUGS
  • 442d2484f
    2f0c88351
    631d30a34
    When requesting the update of a direct dependency that was also a
    transitive dependency to a version incompatible with the transitive
    requirement and you had a lock-file but did not have a node_modules
    folder then npm would fail to provide a new copy of the transitive
    dependency, resulting in an invalid lock-file that could not self heal.
    (@​iarna)
  • be5dd0f49
    #​20715
    Cleanup output of npm ci summary report.
    (@​legodude17)
  • 98ffe4adb
    Node.js now has a test that scans for things that look like conflict
    markers in source code. This was triggering false positives on a fixture in a test
    of npm's ability to heal lockfiles with conflicts in them.
    (@​iarna)
DEPENDENCY UPDATES

v6.0.1

Compare Source

AUDIT SHOULDN'T WAIT FOREVER

This will likely be reduced further with the goal that the audit process
shouldn't noticibly slow down your builds regardless of your network
situation.

Looking forward

We're still a way from having node@11, so now's a good time to ensure we
don't warn about being used with it.

v6.0.0

Compare Source

Hey y'all! Here's another npm@6 release -- with node@10 around the corner,
this might well be the last prerelease before we tag 6.0.0! There's two major
features included with this release, along with a few miscellaneous fixes and
changes.

EXTENDED npm init SCAFFOLDING

Thanks to the wonderful efforts of @​jdalton of
lodash fame, npm init can now be used to invoke custom scaffolding tools!

You can now do things like npm init react-app or npm init esm to scaffold an
npm package by running create-react-app and create-esm, respectively. This
also adds an npm create alias, to correspond to Yarn's yarn create feature,
which inspired this.

DEPENDENCY AUDITING

This version of npm adds a new command, npm audit, which will run a security
audit of your project's dependency tree and notify you about any actions you may
need to take.

The registry-side services required for this command to work will be available
on the main npm registry in the coming weeks. Until then, you won't get much out
of trying to use this on the CLI.

As part of this change, the npm CLI now sends scrubbed and cryptographically
anonymized metadata about your dependency tree to your configured registry, to
allow notifying you about the existence of critical security flaws. For details
about how the CLI protects your privacy when it shares this metadata, see npm help audit, or read the docs for npm audit
online. You
can disable this altogether by doing npm config set audit false, but will no
longer benefit from the service.

Renovate configuration

📅 Schedule: "before 3am on Monday" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or if you modify the PR title to begin with "rebase!".

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot. View repository job log here.

@renovate renovate bot added the js dependencies JS dependency updates by Renovate bot label Apr 24, 2019
@codecov
Copy link

codecov bot commented Apr 24, 2019
edited
Loading

Codecov Report

Merging #460 into master will increase coverage by 0.02%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #460      +/-   ##
==========================================
+ Coverage   86.05%   86.08%   +0.02%     
==========================================
  Files          25       25              
  Lines        3398     3398              
==========================================
+ Hits         2924     2925       +1     
+ Misses        474      473       -1
Impacted Files Coverage Δ
t4/api.py 87.5% <0%> (+0.41%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 81bc2ab...458f939. Read the comment docs.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
js dependencies JS dependency updates by Renovate bot
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@renovate-bot