|
| 1 | +### v2.14.2 (2015-08-27): |
| 2 | + |
| 3 | +#### GETTING THAT PESKY `preferGlobal` WARNING RIGHT |
| 4 | + |
| 5 | +So apparently the `preferGlobal` option hasn't quite been warning correctly for |
| 6 | +some time. But now it should be all better! tl;dr: if you try and install a |
| 7 | +dependency with `preferGlobal: true`, and it's _not already_ in your |
| 8 | +`package.json`, you'll get a warning that the author would really rather you |
| 9 | +install it with `--global`. :) |
| 10 | + |
| 11 | +* [`bbb25f3`](https://github.com/npm/npm/commit/bbb25f30d582f8979168c79233a9f8f840974f90) |
| 12 | + [#8841](https://github.com/npm/npm/issues/8841) |
| 13 | + [#9409](https://github.com/npm/npm/issues/9409) The `preferGlobal` |
| 14 | + warning shouldn't happen if the dependency being installed is listed in |
| 15 | + `devDependencies`. ([@saper](https://github.com/saper)) |
| 16 | +* [`222fcec`](https://github.com/npm/npm/commit/222fcec85ccd30d35899e5037079fb14625af4e2) |
| 17 | + [#9409](https://github.com/npm/npm/issues/9409) `preferGlobal` now prints a |
| 18 | + warning when there are no dependencies for the current package. |
| 19 | + ([@zkat](https://github.com/zkat)) |
| 20 | +* [`5cfed6d`](https://github.com/npm/npm/commit/5cfed6d7a1a5f2731688cfc8293b5e43a6355393) |
| 21 | + [#9409](https://github.com/npm/npm/issues/9409) Verify that |
| 22 | + `preferGlobal` is warning as expected (when a `preferGlobal` dependency is |
| 23 | + installed, but isn't listed in either `dependencies` or `devDependencies`). |
| 24 | + ([@zkat](https://github.com/zkat)) |
| 25 | + |
| 26 | +#### BUMP +1 |
| 27 | + |
| 28 | +* [`eeafce2`](https://github.com/npm/npm/commit/eeafce2d06883c0f51bf403415b6bc5f2647eba3) |
| 29 | + `validate-npm-package-license@3.0.1`: Include additional metadata in parsed license object, |
| 30 | + useful for license checkers. ([@kemitchell](https://github.com/kemitchell)) |
| 31 | +* [`1502a28`](https://github.com/npm/npm/commit/1502a285f84aa548806b3eafc8889e6288e810f3) |
| 32 | + `normalise-package-data@2.3.2`: Updated to use `validate-npm-package-license@3.0.1`. |
| 33 | + ([@othiym23](https://github.com/othiym23)) |
| 34 | +* [`cbde823`](https://github.com/npm/npm/commit/cbde8233436bf0ea62a4740869b4990322c20659) |
| 35 | + `init-package-json@1.9.1`: Add a `silent` option to suppress output on writing the |
| 36 | + generated `package.json`. Also, updated to use `validate-npm-package-license@3.0.1`. |
| 37 | + ([@zkat](https://github.com/zkat)) |
| 38 | +* [`08fda46`](https://github.com/npm/npm/commit/08fda465452b4d77f1ced8050ee3a35a77fc30a5) |
| 39 | + `tar@2.2.0`: Minor improvements. ([@othiym23](https://github.com/othiym23)) |
| 40 | +* [`dc2f20b`](https://github.com/npm/npm/commit/dc2f20b53fff77203139c863b48da0e959df2ac9) |
| 41 | + `rimraf@2.4.3`: `EPERM` now triggers a delay / retry loop (since Windows throws |
| 42 | + this when things still hold a handle). ([@isaacs](https://github.com/isaacs)) |
| 43 | +* [`e8acb27`](https://github.com/npm/npm/commit/e8acb273aa67ee0394d0431650e1b2a7d09c8554) |
| 44 | + `read@1.0.7`: Fix licensing ambiguity. ([@isaacs](https://github.com/isaacs)) |
| 45 | + |
| 46 | +#### OTHER STUFF THAT'S RELEVANT |
| 47 | + |
| 48 | +* [`73a1ee0`](https://github.com/npm/npm/commit/73a1ee0be90fa1928521b63f28bef83b8ffab61d) |
| 49 | + [#9386](https://github.com/npm/npm/issues/9386) Include additional unignorable files in |
| 50 | + documentation. |
| 51 | + ([@mjhasbach](https://github.com/mjhasbach)) |
| 52 | +* [`0313e40`](https://github.com/npm/npm/commit/0313e40ee0f757fce8861be590ad668c23d7be53) |
| 53 | + [#9396](https://github.com/npm/npm/issues/9396) Improve the `EISDIR` error |
| 54 | + message returned by npm's error-handling code to give users a better hint of |
| 55 | + what's most likely going on. Usually, error reports with this error code are |
| 56 | + about people trying to install things without a `package.json`. |
| 57 | + ([@KenanY](https://github.com/KenanY)) |
| 58 | +* [`2677457`](https://github.com/npm/npm/commit/26774579c739c5951351e58263cf4d6ea3d66ec8) |
| 59 | + [#9360](https://github.com/npm/npm/issues/9360) Make it easier to run |
| 60 | + only _some_ of npm tests with lifecycle scripts via `npm tap test/tap/testname.js`. |
| 61 | + ([@iarna](https://github.com/iarna)) |
| 62 | + |
| 63 | +### v2.14.1 (2015-08-20): |
| 64 | + |
| 65 | +#### SECURITY FIX |
| 66 | + |
| 67 | +There are patches for two information leaks of moderate severity in `npm@2.14.1`: |
| 68 | + |
| 69 | +1. In some cases, npm was leaking sensitive credential information into the |
| 70 | + child environment when running package and lifecycle scripts. This could |
| 71 | + lead to packages being published with files (most notab
6D3B
ly `config.gypi`, a |
| 72 | + file created by `node-gyp` that is a cache of environmental information |
| 73 | + regenerated on every run) containing the bearer tokens used to authenticate |
| 74 | + users to the registry. Users with affected packages have been notified (and |
| 75 | + the affected tokens invalidated), and now npm has been modified to not |
| 76 | + upload files that could contain this information, as well as scrubbing the |
| 77 | + sensitive information out of the environment passed to child scripts. |
| 78 | +2. Per-package `.npmrc` files are used by some maintainers as a way to scope |
| 79 | + those packages to a specific registry and its credentials. This is a |
| 80 | + reasonable use case, but by default `.npmrc` was packed into packages, |
| 81 | + leaking those credentials. npm will no longer include `.npmrc` when packing |
| 82 | + tarballs. |
| 83 | + |
| 84 | +If you maintain packages and believe you may be affected by either |
| 85 | +of the above scenarios (especially if you've received a security |
| 86 | +notification from npm recently), please upgrade to `npm@2.14.1` as |
| 87 | +soon as possible. If you believe you may have inadvertently leaked |
| 88 | +your credentials, upgrade to `npm@2.14.1` on the affected machine, |
| 89 | +and run `npm logout` and then `npm login`. Your access tokens will be |
| 90 | +invalidated, which will eliminate any risk posed by tokens inadvertently |
| 91 | +included in published packages. We apologize for the inconvenience this |
| 92 | +causes, as well as the oversight that led to the existence of this issue |
| 93 | +in the first place. |
| 94 | + |
| 95 | +Huge thanks to [@ChALkeR](https://github.com/ChALkeR) for bringing these |
| 96 | +issues to our attention, and for helping us identify affected packages |
| 97 | +and maintainers. Thanks also to the Node.js security working group for |
| 98 | +their coördination with the team in our response to this issue. We |
| 99 | +appreciate everybody's patience and understanding tremendously. |
| 100 | + |
| 101 | +* [`b9474a8`](https://github.com/npm/npm/commit/b9474a843ca55b7c5fac6da33989e8eb39aff8b1) |
| 102 | + `fstream-npm@1.0.5`: Stop publishing build cruft (`config.gypi`) and per-project |
| 103 | + `.npmrc` files to keep local configuration out of published packages. |
| 104 | + ([@othiym23](https://github.com/othiym23)) |
| 105 | +* [`13c286d`](https://github.com/npm/npm/commit/13c286dbdc3fa8fec4cb79fc4d1ee505c8a41b2e) |
| 106 | + [#9348](https://github.com/npm/npm/issues/9348) Filter "private" |
| 107 | + (underscore-prefixed, even when scoped to a registry) configuration values |
| 108 | + out of child environments. ([@othiym23](https://github.com/othiym23)) |
| 109 | + |
| 110 | +#### BETTER WINDOWS INTEGRATION, ONE STEP AT A TIME |
| 111 | + |
| 112 | +* [`e40e71f`](https://github.com/npm/npm/commit/e40e71f2f838a8a42392f44e3eeec04e323ab743) |
| 113 | + [#6412](https://github.com/npm/npm/issues/6412) Improve the search strategy |
| 114 | + used by the npm shims for Windows to prioritize your own local npm installs. |
| 115 | + npm has really needed this tweak for a long time, so hammer on it and let us |
| 116 | + know if you run into issues, but with luck it will Just Work. |
| 117 | + ([@joaocgreis](https://github.com/joaocgreis)) |
| 118 | +* [`204ebbb`](https://github.com/npm/npm/commit/204ebbb3e0cab696a429a878ceeb4a7e78ec2b94) |
| 119 | + [#8751](https://github.com/npm/npm/issues/8751) |
| 120 | + [#7333](https://github.com/npm/npm/issues/7333) Keep [autorun |
| 121 | + scripts](https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx) from |
| 122 | + interfering with npm package and lifecycle script execution on Windows by |
| 123 | + adding `/d` and `/s` when invoking `cmd.exe`. |
| 124 | + ([@saper](https://github.com/saper)) |
| 125 | + |
| 126 | +#### IT SEEMED LIKE AN IDEA AT THE TIME |
| 127 | + |
| 128 | +* [`286f3d9`](https://github.com/npm/npm/commit/286f3d97103812f0fd84b70352addbe899e258f9) |
| 129 | + [#9201](https://github.com/npm/npm/pull/9201) For a while npm was building |
| 130 | + HTML partials for use on [`docs.npmjs.com`](https://docs.npmjs.com), but we |
| 131 | + weren't actually using them. Stop building them, which makes running the full |
| 132 | + test suite and installation process around a third faster. |
| 133 | + ([@isaacs](https://github.com/isaacs)) |
| 134 | + |
| 135 | +#### A SINGLE LONELY DEPENDENCY UPGRADE |
| 136 | + |
| 137 | +* [`b343b95`](https://github.com/npm/npm/commit/b343b956ef777e321e4251ddc96ec6d80827d9e2) |
| 138 | + `request@2.61.0`: Bug fixes and keep-alive tweaks. |
| 139 | + ([@simov](https://github.com/simov)) |
| 140 | + |
| 141 | +### v2.14.0 (2015-08-13): |
| 142 | + |
| 143 | +#### IT'S HERE! KINDA! |
| 144 | + |
| 145 | +This release adds support for teens and orcs (err, teams and organizations) to |
| 146 | +the npm CLI! Note that the web site and registry-side features of this are |
| 147 | +still not ready for public consumption. |
| 148 | + |
| 149 | +A beta should be starting in the next couple of weeks, and the features |
| 150 | +themselves will become public once all that's done. Keep an eye out for more |
| 151 | +news! |
| 152 | + |
| 153 | +All of these changes were done under [`#9011`](https://github.com/npm/npm/pull/9011): |
| 154 | + |
| 155 | +* [`6424170`](https://github.com/npm/npm/commit/6424170fc17c666a6efc090370ec691e0cab1792) |
| 156 | + Added new `npm team` command and subcommands. |
| 157 | + ([@zkat](https://github.com/zkat)) |
| 158 | +* [`52220d1`](https://github.com/npm/npm/commit/52220d146d474ec29b683bd99c06f75cbd46a9f4) |
| 159 | + Added documentation for new `npm team` command. |
| 160 | + ([@zkat](https://github.com/zkat)) |
| 161 | +* [`4e66830`](https://github.com/npm/npm/commit/4e668304850d02df8eb27a779fda76fe5de645e7) |
| 162 | + Updated `npm access` to support teams and organizations. |
| 163 | + ([@zkat](https://github.com/zkat)) |
| 164 | +* [`ea3eb87`](https://github.com/npm/npm/commit/ea3eb8733d9fa09ce34106b1b19fb1a8f95844a5) |
| 165 | + Gussied up docs for `npm access` with new commands. |
| 166 | + ([@zkat](https://github.com/zkat)) |
| 167 | +* [`6e0b431`](https://github.com/npm/npm/commit/6e0b431c1de5e329c86e57d097aa88ebfedea864) |
| 168 | + Fix up `npm whoami` to make the underlying API usable elsewhere. |
| 169 | + ([@zkat](https://github.com/zkat)) |
| 170 | +* [`f29c931`](https://github.com/npm/npm/commit/f29c931012ce5ccd69c29d83548f27e443bf7e62) |
| 171 | + `npm-registry-client@7.0.1`: Upgrade `npm-registry-client` API to support |
| 172 | + `team` and `access` calls against the registry. |
| 173 | + ([@zkat](https://github.com/zkat)) |
| 174 | + |
| 175 | +#### A FEW EXTRA VERSION BUMPS |
| 176 | + |
| 177 | +* [`c977e12`](https://github.com/npm/npm/commit/c977e12cbfa50c2f52fc807f5cc19ba1cc1b39bf) |
| 178 | + `init-package-json@1.8.0`: Checks for some `npm@3` metadata. |
| 179 | + ([@iarna](https://github.com/iarna)) |
| 180 | +* [`5c8c9e5`](https://github.com/npm/npm/commit/5c8c9e5ae177ba7d0d298cfa42f3fc7f0271e4ec) |
| 181 | + `columnify@1.5.2`: Updated some dependencies. |
| 182 | + ([@timoxley](https://github.com/timoxley)) |
| 183 | +* [`5d56742`](https://github.com/npm/npm/commit/5d567425768b75aeab402c817a53d8b2bc60d8de) |
| 184 | + `chownr@1.0.1`: Tests, docs, and minor style nits. |
| 185 | + ([@isaacs](https://github.com/isaacs)) |
| 186 | + |
| 187 | +#### ALSO A DOC FIX |
| 188 | + |
| 189 | +* [`846fcc7`](https://github.com/npm/npm/commit/846fcc79b86984b109a97366b0422f995a45f8bf) |
| 190 | + [`#9200`](https://github.com/npm/npm/pull/9200) Remove single quotes |
| 191 | + around semver range, thus making it valid semver. |
| 192 | + ([@KenanY](https://github.com/KenanY)) |
| 193 | + |
| 194 | +### v2.13.5 (2015-08-07): |
| 195 | + |
| 196 | +This is another quiet week for the `npm@2` release. |
| 197 | +[@zkat](https://github.com/zkat) has been working hard on polishing the CLI |
| 198 | +bits of the registry's new feature to support direct management of teams and |
| 199 | +organizations, and [@iarna](https://github.com/iarna) continues to work through |
| 200 | +the list of issues blocking the general release of `npm@3`, which is looking |
| 201 | +more and more solid all the time. |
| 202 | + |
| 203 | +[@othiym23](https://github.com/othiym23) and [@zkat](https://github.com/zkat) |
| 204 | +have also been at this week's Node.js / io.js [collaborator |
| 205 | +summit](https://github.com/nodejs/summit/tree/master), both as facilitators and |
| 206 | +participants. This is a valuable opportunity to get some face time with other |
| 207 | +contributors and to work through a bunch of important discussions, but it does |
| 208 | +leave us feeling kind of sleepy. Running meetings is hard! |
| 209 | + |
| 210 | +What does that leave for this release? A few of the more tricky bug fixes that |
| 211 | +have been sitting around for a little while now, and a couple dependency |
| 212 | +upgrades. Nothing too fancy, but most of these were contributed by developers |
| 213 | +like _you_, which we think is swell. Thanks! |
| 214 | + |
| 215 | +#### BUG FIXES |
| 216 | + |
| 217 | +* [`d7271b8`](https://github.com/npm/npm/commit/d7271b8226712479cdd339bf85faf7e394923e0d) |
| 218 | + [#4530](https://github.com/npm/npm/issues/4530) The bash completion script |
| 219 | + for npm no longer alters global completion behavior around word breaks. |
| 220 | + ([@whitty](https://github.com/whitty)) |
| 221 | +* [`c9ce294`](https://github.com/npm/npm/commit/c9ce29415a0a8fc610690b6e9d91b64d6e36cfcc) |
| 222 | + [#7198](https://github.com/npm/npm/issues/7198) When setting up dependencies |
| 223 | + to be shared via `npm link <package>`, only run the lifecycle scripts during |
| 224 | + the original link, not when running `npm link <package>` or `npm install |
| 225 | + --link` against them. ([@murgatroid99](https://github.com/murgatroid99)) |
| 226 | +* [`422da66`](https://github.com/npm/npm/commit/422da664bd3ce71313da447f170507faf5aac46a) |
| 227 | + [#9108](https://github.com/npm/npm/issues/9108) Clear up minor confusion |
| 228 | + around wording in `bundledDependencies` section of `package.json` docs. |
| 229 | + ([@derekpeterson](https://github.com/derekpeterson)) |
| 230 | +* [`6b42d99`](https://github.com/npm/npm/commit/6b42d99460885e715772d3487b1c548d2bc8a738) |
| 231 | + [#9146](https://github.com/npm/npm/issues/9146) Include scripts that run for |
| 232 | + `preversion`, `version`, and `postversion` in the section for lifecycle |
| 233 | + scripts rather than the generic `npm run-script` output. |
| 234 | + ([@othiym23](https://github.com/othiym23)) |
| 235 | + |
| 236 | +#### NOPE, NOT DONE WITH DEPENDENCY UPDATES |
| 237 | + |
| 238 | +* [`91a48bb`](https://github.com/npm/npm/commit/91a48bb5ef5a990781c86f8b69b8a32cf4fac2d9) |
| 239 | + `chmodr@1.0.1`: Ignore symbolic links when recursively changing mode, just |
| 240 | + like the Unix command. ([@isaacs](https://github.com/isaacs)) |
| 241 | +* [`4bbc86e`](https://github.com/npm/npm/commit/4bbc86e3825e2eee9a8758ba26bdea0cb6a2581e) |
| 242 | + `nock@2.10.0` ([@pgte](https://github.com/pgte)) |
| 243 | + |
| 244 | +### v2.13.4 (2015-07-30): |
| 245 | + |
| 246 | +#### JULY ENDS ON A FAIRLY QUIET NOTE |
| 247 | + |
| 248 | +Hey everyone! I hope you've had a great week. We're having a fairly small |
| 249 | +release this week while we wrap up Teams and Orgs (or, as we've taken to calling |
| 250 | +it internally, _Teens and Orcs_). |
| 251 | + |
| 252 | +In other exciting news, a bunch of us are gonna be at the [Node.js Collaborator |
| 253 | +Summit](https://github.com/nodejs/summit/issues/1), and you can also find us at |
| 254 | +[wafflejs](https://wafflejs.com/) on Wednesday. Hopefully we'll be seeing some |
| 255 | +of you there. :) |
| 256 | + |
| 257 | +#### THE PATCH!!! |
| 258 | + |
| 259 | +So here it is. The patch. Hope it helps. (Thanks, |
| 260 | +[@ktarplee](https://github.com/ktarplee)!) |
| 261 | + |
| 262 | +* [`2e58c48`](https://github.com/npm/npm/commit/2e58c4819e3cafe4ae23ab7f4a520fe09258cfd7) |
| 263 | + [#9033](https://github.com/npm/npm/pull/9033) `npm version` now works on git |
| 264 | + submodules |
| 265 | + ([@ktarplee](https://github.com/ktarplee)) |
| 266 | + |
| 267 | +#### OH AND THERE'S A DEV DEPENDENCIES UPDATE |
| 268 | + |
| 269 | +Hooray. |
| 270 | + |
| 271 | +* [`d204683`](https://github.com/npm/npm/commit/d2046839d471322e61e3ceb0f00e78e5c481f967) |
| 272 | + nock@2.9.1 |
| 273 | + ([@pgte](https://github.com/pgte)) |
| 274 | + |
1 | 275 | ### v2.13.3 (2015-07-23): |
2 | 276 |
|
3 | 277 | #### I'M SAVING THE GOOD JOKES FOR MORE INTERESTING RELEASES |
@@ -29,12 +303,10 @@ There's a couple of doc updates! The last one might be interesting. |
29 | 303 | settings. |
30 | 304 | ([@SimenB](https://github.com/SimenB)) |
31 | 305 | * [`cf09e75`](https://github.com/npm/npm/commit/cf09e754931739af32647d667b671e72a4c79081) |
32 | | - |
33 | 306 | [#9022](https://github.com/npm/npm/issues/9022) Document the `"access"` field |
34 | 307 | in `"publishConfig"`. Did you know you don't need to use `--access=public` |
35 | 308 | when publishing scoped packages?! Just put it in your `package.json`! |
36 | 309 | Go refresh yourself on scopes packages by [checking our docs](https://docs.npmjs.com/getting-started/scoped-packages) on them. |
37 | | - |
38 | 310 | ([@boennemann](https://github.com/boennemann)) |
39 | 311 | * [`bfd73da`](https://github.com/npm/npm/commit/bfd73da33349cc2afb8278953b2ae16ea95023de) |
40 | 312 | [#9013](https://github.com/npm/npm/issues/9013) fixed typo in changelog |
|
0 commit comments