Skip to content

deps: upgrade npm to 9.1.3 #45693

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 7, 2022
Merged

deps: upgrade npm to 9.1.3 #45693

merged 1 commit into from
Dec 7, 2022

Conversation

@npm-cli-bot
Copy link
Contributor

@npm-cli-bot npm-cli-bot commented Nov 30, 2022
edited by lukekarrys
Loading

This PR contains changes from: npm@9.0.0 npm@9.0.1 npm@9.1.0 npm@9.1.1 npm@9.1.2 npm@9.1.3

This PR replaces: nodejs/node#45491

Summary of Breaking Changes

Based on the list of guidelines we've established on integrating npm and node, here is a grouped list of the breaking changes with the reasoning as to why they fit within the guidelines linked above. Note that all the breaking changes were made in 9.0.0 which can be seen in it's original format but by expanding the 9.0.0 details section below. All subsequent minor and patch releases after npm@9.0.0 do not contain any breaking changes.

Engines

Explanation: the node engines supported by npm@9 make it safe to allow npm@9 as the default in any LTS version of 14 or 16, as well as anything later than or including 18.0.0

  • npm is now compatible with the following semver range for node: ^14.17.0 || ^16.13.0 || >=18.0.0

Filesystem

Explanation: when run as root previous versions of npm attempted to manage file ownership automatically on the user's behalf. this behavior was problematic in many cases and has been removed in favor of allowing users to manage their own filesystem permissions

  • npm will no longer attempt to modify ownership of files it creates

Auth

Explanation: any errors thrown from users having unsupported auth configurations will show npm config fix in the remediation instructions, which will allow the user to automatically have their auth config fixed.

  • the presence of auth related settings that are not scoped to a specific registry found in a config file is no longer supported and will throw errors

Login

Explanation: the default auth-type has changed and users can opt back into the old behavior with npm config set auth-type=legacy. login and adduser have also been seperated making each command more closely match it's name instead of being aliases for each other.

  • legacy auth types sso, saml & legacy have been consolidated into "legacy"
  • auth-type defaults to "web"
  • login and adduser are now separate commands that send different data to the registry.
  • auth-type config values web and legacy only try their respective methods, npm no longer tries them all and waits to see which one doesn't fail.

Tarball Packing

Explanation: previously using multiple ignore/allow lists when packing was an undefined behavior, and now the order of operations is strictly defined when packing a tarball making it easier to follow and should only affect users relying on the previously undefined behavior.

  • npm pack now follows a strict order of operations when applying ignore rules. If a files array is present in the package.json, then rules in .gitignore and .npmignore files from the root will be ignored.

Display/Debug/Timing Info

Explanation: these changes center around the display of information to the terminal including timing and debug log info. We do not anticipate these changes breaking any existing workflows.

  • links generated from git urls will now use HEAD instead of master as the default ref
  • timing has been removed as a value for --loglevel
  • --timing will show timing information regardless of --loglevel, except when --silent
  • When run with the --timing flag, npm now writes timing data to a file alongside the debug log data, respecting the logs-dir option and falling back to <CACHE>/_logs/ dir, instead of directly inside the cache directory.
  • The timing file data is no longer newline delimited JSON, and instead each run will create a uniquely named <ID>-timing.json file, with the <ID> portion being the same as the debug log.
  • npm now outputs some json errors on stdout. Previously npm would output all json formatted errors on stderr, making it difficult to parse as the stderr stream usually has logs already written to it.

Config/Command Deprecations or Removals

Explanation: install-links is the only config or command in the list that has an effect on package installs. We fixed a number of issues that came up during prereleases with this change. It will also only be applied to new package trees created without a package-lock.json file. Any install with an existing lock file will not be changed.

  • deprecate boolean install flags in favor of --install-strategy
  • npm config set will no longer accept deprecated or invalid config options
  • install-links config defaults to "true"
  • node-version config has been removed
  • npm-version config has been removed
  • npm access subcommands have been renamed
  • npm birthday has been removed
  • npm set-script has been removed
  • npm bin has been removed (use npx or npm exec to execute binaries)
9.0.0

9.0.0 (2022-10-19)

⚠️ BREAKING CHANGES

  • npm is now compatible with the following semver range for node: ^14.17.0 || ^16.13.0 || >=18.0.0
  • npm will no longer attempt to modify ownership of files it creates
  • the presence of auth related settings that are not scoped to a specific registry found in a config file is no longer supported and will throw errors
  • login, adduser, and auth-type changes
    • legacy auth types sso, saml & legacy have been consolidated into "legacy"
    • auth-type defaults to "web"
    • login and adduser are now separate commands that send different data to
      the registry.
    • auth-type config values web and legacy only try
      their respective methods, npm no longer tries them all and waits to see
      which one doesn't fail.
  • npm pack now follows a strict order of operations when applying ignore rules. If a files array is present in the package.json, then rules in .gitignore and .npmignore files from the root will be ignored.
  • links generated from git urls will now use HEAD instead of master as the default ref
  • timing and loglevel changes
    • timing has been removed as a value for --loglevel
    • --timing will show timing information regardless of
      --loglevel, except when --silent
  • --timing file changes:
    • When run with the --timing flag, npm now writes timing data to a
      file alongside the debug log data, respecting the logs-dir option and
      falling back to <CACHE>/_logs/ dir, instead of directly inside the
      cache directory.
    • The timing file data is no longer newline delimited JSON, and instead
      each run will create a uniquely named <ID>-timing.json file, with the
      <ID> portion being the same as the debug log.
    • Finally, the data inside the file now has three top level keys,
      metadata, timers, and unfinishedTimers instead of everything being
      a top level key.
  • npm now outputs some json errors on stdout. Previously npm would output all json formatted errors on stderr, making it difficult to parse as the stderr stream usually has logs already written to it. In the future, npm will differentiate between errors and crashes. Errors, such as E404 and ERESOLVE, will be handled and will continue to be output on stdout. In the case of a crash, npm will log the error as usual but will not attempt to display it as json, even in --json mode. Moving a case from the category of an error to a crash will not be considered a breaking change. For more information see npm/rfcs#482.
  • deprecate boolean install flags in favor of --install-strategy
    • deprecate --global-style, --global now sets --install-strategy=shallow
    • deprecate --legacy-bundling, now sets --install-strategy=nested
  • npm config set will no longer accept deprecated or invalid config options
  • install-links config defaults to "true"
  • node-version config has been removed
  • npm-version config has been removed
  • npm access subcommands have been renamed
  • npm birthday has been removed
  • npm set-script has been removed
  • npm bin has been removed (use npx or npm exec to execute binaries)

Features

Bug Fixes

Documentation

Dependencies

df77a1f #5707 Update Major Versions of Dependencies

Updated:

  • @npmcli/config@6.0.1
  • @npmcli/disparity-colors@3.0.0
  • @npmcli/git@4.0.1
  • @npmcli/installed-package-contents@2.0.0
  • @npmcli/map-workspaces@3.0.0
  • @npmcli/metavuln-calculator@5.0.0
  • @npmcli/move-file@3.0.0
  • @npmcli/node-gyp@3.0.0
  • @npmcli/package-json@3.0.0
  • @npmcli/promise-spawn@4.0.0
  • @npmcli/query@3.0.0
  • @npmcli/run-script@5.0.0
  • bin-links@4.0.1
  • cacache@17.0.1
  • ignore-walk@6.0.0
  • init-package-json@4.0.1
  • json-parse-even-better-errors@3.0.0
  • make-fetch-happen@11.0.1
  • normalize-package-data@5.0.0
  • npm-audit-report@4.0.0
  • npm-install-checks@6.0.0
  • npm-packlist@7.0.1
  • npm-pick-manifest@8.0.1
  • npm-profile@7.0.1
  • npm-registry-fetch@14.0.2
  • npmlog@7.0.0
  • pacote@15.0.1
  • parse-conflict-json@3.0.0
  • proc-log@3.0.0
  • read-package-json-fast@3.0.1
  • read-package-json@6.0.0
  • ssri@10.0.0
  • treeverse@3.0.0
  • validate-npm-package-name@5.0.0
  • write-file-atomic@5.0.0

Removed:

  • @npmcli/fs

9.0.1

9.0.1 (2022-10-26)

Documentation

Dependencies

9.1.0

9.1.0 (2022-11-02)

Features

Bug Fixes

Documentation

Dependencies

9.1.1

9.1.1 (2022-11-09)

Documentation

Dependencies

9.1.2

9.1.2 (2022-11-16)

Bug Fixes

Dependencies

9.1.3

9.1.3 (2022-11-30)

Bug Fixes

Documentation

Dependencies

@npm-cli-bot npm-cli-bot mentioned this pull request Nov 30, 2022
Closed
@nodejs-github-bot nodejs-github-bot added dont-land-on-v14.x fast-track PRs that do not need to wait for 48 hours to land. needs-ci PRs that need a full CI run. npm Issues and PRs related to the npm client dependency or the npm registry. labels Nov 30, 2022
@github-actions
Copy link
Contributor

Fast-track has been requested by @nodejs-github-bot. Please 👍 to approve.

Trott
Trott approved these changes Nov 30, 2022
View reviewed changes
Copy link
Member

@Trott Trott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rubber-stamp LGTM if it looks good to @nodejs/npm

@Trott Trott added the request-ci Add this label to start a Jenkins CI on a PR. label Nov 30, 2022
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Dec 1, 2022
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/48254/

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/48258/

@github-actions github-actions bot mentioned this pull request Dec 2, 2022
Open
10 tasks
@styfle
Copy link
Member

styfle commented Dec 2, 2022

PR description needs to be updated:

include the above list of breaking changes and why we will ship it in a minor release

nodejs/Release#778 (comment)

This was referenced Dec 3, 2022
Open
Open
Open
Open
@lukekarrys
Copy link
Member

The PR body has been updated with a summary and explanation of the breaking changes. The npm team will be skipping our normal release scheduled for tomorrow, so this PR will be the latest version of npm until 2022-12-14.

@lukekarrys lukekarrys mentioned this pull request Dec 7, 2022
Closed
@ruyadorno
Copy link
Member

Thanks @lukekarrys! Seeing that it met all the requested items from nodejs/Release#778 and having discussed it extensively in the last two Release WG meetings, I'll go ahead and add it to the commit-queue (in case it fails I'll just manually land it).

@ruyadorno ruyadorno added notable-change PRs with changes that should be highlighted in changelogs. commit-queue Add this label to land a pull request using GitHub Actions. and removed needs-ci PRs that need a full CI run. labels Dec 7, 2022
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Dec 7, 2022
@nodejs-github-bot nodejs-github-bot merged commit 3bef549 into nodejs:main Dec 7, 2022
@nodejs-github-bot
Copy link
Collaborator

Landed in 3bef549

@github-actions github-actions bot mentioned this pull request Dec 8, 2022
Open
8 tasks
ErickWendel pushed a commit to ErickWendel/node that referenced this pull request Dec 12, 2022
@npm-cli-bot @ErickWendel
deps: upgrade npm to 9.1.3
09eebcd 
PR-URL: nodejs#45693
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ruy Adorno <ruyadorno@google.com>
targos pushed a commit that referenced this pull request Dec 12, 2022
@npm-cli-bot @targos
deps: upgrade npm to 9.1.3
677eb62 
PR-URL: #45693
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ruy Adorno <ruyadorno@google.com>
targos added a commit that referenced this pull request Dec 12, 2022
@targos
2022-12-13, Version 19.3.0 (Current)
a851b35 
Notable changes:

build:
  * disable v8 snapshot compression by default (Joyee Cheung) #45716
deps:
  * upgrade npm to 9.1.3 (npm team) #45693
doc:
  * add doc-only deprecation for headers/trailers setters (Rich Trott) #45697
  * add Rafael to the tsc (Michael Dawson) #45691
net:
  * (SEMVER-MINOR) add autoSelectFamily and autoSelectFamilyAttemptTimeout options (Paolo Insogna) #44731
src:
  * (SEMVER-MINOR) add uvwasi version (Jithil P Ponnan) #45639
test_runner:
  * (SEMVER-MINOR) add t.after() hook (Colin Ihrig) #45792
  * (SEMVER-MINOR) don't use a symbol for runHook() (Colin Ihrig) #45792
tls:
  * remove trustcor root ca certificates (Ben Noordhuis) #45776

PR-URL: TODO
@targos targos mentioned this pull request Dec 12, 2022
Merged
@mhdawson
Copy link
Member

mhdawson commented Dec 16, 2022
edited
Loading

@ruyadorno I think in the discussion the proposal was to have it bake a bit before it was backported to LTS lines. I'm going to add the dont-land labels for 18 and 16 so it does not flow back until that happens. Please let me know if that was not the consensus.

@ruyadorno
Copy link
Member

Good call @mhdawson, in the last discussion of the Release WG we agreed to follow the timeline outlined here: nodejs/Release#778 (comment)

Given that the next scheduled released for v18.x is on January 3rd it's a good idea to have the labels for now. We just need to remember to remove them after that release so that the npm updates can be backported and land in v18.x-staging on time for the February release.

One other thing to keep in mind is to add the same labels to any subsequent npm update PRs until they're all ready to be backported, for now that's only #45780 but we need to keep an eye if there's a new one. All in all we should try to remember to remove the labels as soon as possible to avoid any extra headaches for the releasers.

@ruyadorno ruyadorno mentioned this pull request Dec 16, 2022
Merged
@mhdawson
Copy link
Member

This issue might be something of concern in terms of a breaking change being reported ? - #45881 as I think 19.3 might have been the first version with the bump to npm 9 ?

@lukekarrys
Copy link
Member

#45881 as I think 19.3 might have been the first version with the bump to npm 9

yes, that is right. im triaging that issue now and i believe it's a bug and not a breaking change we intended to make. so we should be able to fix it in the next npm@9 release

@ljharb
Copy link
Member

ljharb commented Dec 19, 2022

Was the auth-type change mentioned briefly above considered by node collaborators? In particular, in node 19.3 (with npm 9) my normal workflow (that worked in 19.2 with npm 8) of inputting an OTP code directly into the terminal no longer works. I have restored it by adding auth-type=legacy to my ~/.npmrc, but node may want to ship (in node 19, at least) a built-in npmrc that restores this default.

@MylesBorins
Copy link
Contributor

The new auth type is a significant improvement in experience, especially with using webauthn to publish + login.

It might make more sense to have the otp flag infer the legacy auth type, since it essentially is broken right now. This seems more like a bug to be fixed rather than reverting the auth type change.

@ljharb
Copy link
Member

ljharb commented Dec 20, 2022

That's a very subjective claim; it's not an improvement for me personally, it was a surprising disruption to my workflow.

@MylesBorins
Copy link
Contributor

@ljharb FYI npm/statusboard#624 to fix the --otp issue. feel free to open a feedback issue if you have other ways your workflow is broken that we can attempt to imrprove / fix

@ljharb
Copy link
Member

ljharb commented Jan 10, 2023

I wasn't using --otp - I'm saying that the completely unconfigured default should remain OTP within the node 19 major line

Trott pushed a commit to Trott/io.js that referenced this pull request Jan 17, 2023
@npm-cli-bot @Trott
deps: upgrade npm to 9.1.3
0a6c54a 
PR-URL: nodejs#45693
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ruy Adorno <ruyadorno@google.com>
@Trott Trott mentioned this pull request Jan 17, 2023
Closed
@MylesBorins MylesBorins added baking-for-lts PRs that need to wait before landing in a LTS release. and removed dont-land-on-v18.x labels Jan 17, 2023
juanarbol pushed a commit that referenced this pull request Jan 22, 2023
@npm-cli-bot @juanarbol
deps: upgrade npm to 9.1.3
4844935 
PR-URL: #45693
Backport-PR-URL: #46230
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ruy Adorno <ruyadorno@google.com>
juanarbol added a commit that referenced this pull request Jan 28, 2023
@juanarbol
2023-01-31, Version 18.14.0 'Hydrogen' (LTS)
de266a4 
Notable changes:

* buffer
  * (SEMVER-MINOR) add buffer.isUtf8 for utf8 validation (Yagiz Nizipli) #45947
* deps:
  * disable avx512 for simutf on benchmark ci (Yagiz Nizipli) #45803
  * add simdutf dependency (Yagiz Nizipli) #45803
  * upgrade npm to 9.1.3 (npm team) #45693
* util:
  * add fast path for text-decoder fatal flag (Yagiz Nizipli) #45803

PR-URL: TBD
@juanarbol juanarbol mentioned this pull request Jan 28, 2023
Merged
juanarbol added a commit that referenced this pull request Jan 28, 2023
@juanarbol
2023-01-31, Version 18.14.0 'Hydrogen' (LTS)
85ed13d 
Notable changes:

* buffer
  * (SEMVER-MINOR) add buffer.isUtf8 for utf8 validation (Yagiz Nizipli) #45947
* deps:
  * disable avx512 for simutf on benchmark ci (Yagiz Nizipli) #45803
  * add simdutf dependency (Yagiz Nizipli) #45803
  * upgrade npm to 9.1.3 (npm team) #45693
* util:
  * add fast path for text-decoder fatal flag (Yagiz Nizipli) #45803

PR-URL: #46396
juanarbol added a commit that referenced this pull request Jan 28, 2023
@juanarbol
2023-01-31, Version 18.14.0 'Hydrogen' (LTS)
614a60d 
Notable changes:

* buffer
  * (SEMVER-MINOR) add buffer.isUtf8 for utf8 validation (Yagiz Nizipli) #45947
* deps:
  * disable avx512 for simutf on benchmark ci (Yagiz Nizipli) #45803
  * add simdutf dependency (Yagiz Nizipli) #45803
  * upgrade npm to 9.1.3 (npm team) #45693
* util:
  * add fast path for text-decoder fatal flag (Yagiz Nizipli) #45803

PR-URL: #46396
juanarbol added a commit that referenced this pull request Jan 30, 2023
@juanarbol
2023-01-31, Version 18.14.0 'Hydrogen' (LTS)
53ddd3a 
Notable changes:

* buffer
  * (SEMVER-MINOR) add buffer.isUtf8 for utf8 validation (Yagiz Nizipli) #45947
* deps:
  * add simdutf dependency (Yagiz Nizipli) #45803
  * upgrade npm to 9.1.3 (npm team) #45693
* util:
  * add fast path for text-decoder fatal flag (Yagiz Nizipli) #45803

PR-URL: #46396
juanarbol added a commit that referenced this pull request Jan 31, 2023
@juanarbol
2023-01-31, Version 18.14.0 'Hydrogen' (LTS)
a413280 
Notable changes:

* buffer
  * (SEMVER-MINOR) add buffer.isUtf8 for utf8 validation (Yagiz Nizipli) #45947
* deps:
  * add simdutf dependency (Yagiz Nizipli) #45803
  * upgrade npm to 9.1.3 (npm team) #45693
* util:
  * add fast path for text-decoder fatal flag (Yagiz Nizipli) #45803

PR-URL: #46396
@richardlau richardlau removed the baking-for-lts PRs that need to wait before landing in a LTS release. label May 8, 2024
@wraithgar wraithgar deleted the npm-v9.1.3 branch June 26, 2025 15:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ruyadorno ruyadorno ruyadorno approved these changes

@Trott Trott Trott approved these changes

@lpinca lpinca lpinca approved these changes

Assignees

No one assigned

Labels

fast-track PRs that do not need to wait for 48 hours to land. notable-change PRs with changes that should be highlighted in changelogs. npm Issues and PRs related to the npm client dependency or the npm registry.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.