-
Notifications
You must be signed in to change notification settings - Fork 29.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
deps: upgrade npm to 9.1.3 #45693
deps: upgrade npm to 9.1.3 #45693
Conversation
Fast-track has been requested by @nodejs-github-bot. Please 👍 to approve. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rubber-stamp LGTM if it looks good to @nodejs/npm
PR description needs to be updated:
|
The PR body has been updated with a summary and explanation of the breaking changes. The npm team will be skipping our normal release scheduled for tomorrow, so this PR will be the latest version of |
Thanks @lukekarrys! Seeing that it met all the requested items from nodejs/Release#778 and having discussed it extensively in the last two Release WG meetings, I'll go ahead and add it to the commit-queue (in case it fails I'll just manually land it). |
Landed in 3bef549 |
PR-URL: nodejs#45693 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ruy Adorno <ruyadorno@google.com>
PR-URL: #45693 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ruy Adorno <ruyadorno@google.com>
Notable changes: build: * disable v8 snapshot compression by default (Joyee Cheung) #45716 deps: * upgrade npm to 9.1.3 (npm team) #45693 doc: * add doc-only deprecation for headers/trailers setters (Rich Trott) #45697 * add Rafael to the tsc (Michael Dawson) #45691 net: * (SEMVER-MINOR) add autoSelectFamily and autoSelectFamilyAttemptTimeout options (Paolo Insogna) #44731 src: * (SEMVER-MINOR) add uvwasi version (Jithil P Ponnan) #45639 test_runner: * (SEMVER-MINOR) add t.after() hook (Colin Ihrig) #45792 * (SEMVER-MINOR) don't use a symbol for runHook() (Colin Ihrig) #45792 tls: * remove trustcor root ca certificates (Ben Noordhuis) #45776 PR-URL: TODO
@ruyadorno I think in the discussion the proposal was to have it bake a bit before it was backported to LTS lines. I'm going to add the dont-land labels for 18 and 16 so it does not flow back until that happens. Please let me know if that was not the consensus. |
Good call @mhdawson, in the last discussion of the Release WG we agreed to follow the timeline outlined here: nodejs/Release#778 (comment) Given that the next scheduled released for One other thing to keep in mind is to add the same labels to any subsequent npm update PRs until they're all ready to be backported, for now that's only #45780 but we need to keep an eye if there's a new one. All in all we should try to remember to remove the labels as soon as possible to avoid any extra headaches for the releasers. |
This issue might be something of concern in terms of a breaking change being reported ? - #45881 as I think 19.3 might have been the first version with the bump to npm 9 ? |
yes, that is right. im triaging that issue now and i believe it's a bug and not a breaking change we intended to make. so we should be able to fix it in the next |
Was the |
The new auth type is a significant improvement in experience, especially with using webauthn to publish + login. It might make more sense to have the |
That's a very subjective claim; it's not an improvement for me personally, it was a surprising disruption to my workflow. |
@ljharb FYI npm/statusboard#624 to fix the |
I wasn't using |
PR-URL: nodejs#45693 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ruy Adorno <ruyadorno@google.com>
Notable changes: * buffer * (SEMVER-MINOR) add buffer.isUtf8 for utf8 validation (Yagiz Nizipli) #45947 * deps: * disable avx512 for simutf on benchmark ci (Yagiz Nizipli) #45803 * add simdutf dependency (Yagiz Nizipli) #45803 * upgrade npm to 9.1.3 (npm team) #45693 * util: * add fast path for text-decoder fatal flag (Yagiz Nizipli) #45803 PR-URL: TBD
Notable changes: * buffer * (SEMVER-MINOR) add buffer.isUtf8 for utf8 validation (Yagiz Nizipli) #45947 * deps: * disable avx512 for simutf on benchmark ci (Yagiz Nizipli) #45803 * add simdutf dependency (Yagiz Nizipli) #45803 * upgrade npm to 9.1.3 (npm team) #45693 * util: * add fast path for text-decoder fatal flag (Yagiz Nizipli) #45803 PR-URL: #46396
Notable changes: * buffer * (SEMVER-MINOR) add buffer.isUtf8 for utf8 validation (Yagiz Nizipli) #45947 * deps: * disable avx512 for simutf on benchmark ci (Yagiz Nizipli) #45803 * add simdutf dependency (Yagiz Nizipli) #45803 * upgrade npm to 9.1.3 (npm team) #45693 * util: * add fast path for text-decoder fatal flag (Yagiz Nizipli) #45803 PR-URL: #46396
This PR contains changes from:
npm@9.0.0
npm@9.0.1
npm@9.1.0
npm@9.1.1
npm@9.1.2
npm@9.1.3
This PR replaces: nodejs/node#45491
Summary of Breaking Changes
Based on the list of guidelines we've established on integrating
npm
andnode
, here is a grouped list of the breaking changes with the reasoning as to why they fit within the guidelines linked above. Note that all the breaking changes were made in 9.0.0 which can be seen in it's original format but by expanding the9.0.0
details section below. All subsequent minor and patch releases afternpm@9.0.0
do not contain any breaking changes.Engines
npm
is now compatible with the following semver range for node:^14.17.0 || ^16.13.0 || >=18.0.0
Filesystem
npm
will no longer attempt to modify ownership of files it createsAuth
Login
sso
,saml
&legacy
have been consolidated into"legacy"
auth-type
defaults to"web"
login
andadduser
are now separate commands that send different data to the registry.auth-type
config valuesweb
andlegacy
only try their respective methods, npm no longer tries them all and waits to see which one doesn't fail.Tarball Packing
npm pack
now follows a strict order of operations when applying ignore rules. If afiles
array is present in thepackage.json
, then rules in.gitignore
and.npmignore
files from the root will be ignored.Display/Debug/Timing Info
HEAD
instead ofmaster
as the default reftiming
has been removed as a value for--loglevel
--timing
will show timing information regardless of--loglevel
, except when--silent
--timing
flag,npm
now writes timing data to a file alongside the debug log data, respecting thelogs-dir
option and falling back to<CACHE>/_logs/
dir, instead of directly inside the cache directory.<ID>-timing.json
file, with the<ID>
portion being the same as the debug log.npm
now outputs some json errors on stdout. Previouslynpm
would output all json formatted errors on stderr, making it difficult to parse as the stderr stream usually has logs already written to it.Config/Command Deprecations or Removals
--install-strategy
npm config set
will no longer accept deprecated or invalid config optionsinstall-links
config defaults to"true"
node-version
config has been removednpm-version
config has been removednpm access
subcommands have been renamednpm birthday
has been removednpm set-script
has been removednpm bin
has been removed (usenpx
ornpm exec
to execute binaries)9.0.0
9.0.0 (2022-10-19)
npm
is now compatible with the following semver range for node:^14.17.0 || ^16.13.0 || >=18.0.0
npm
will no longer attempt to modify ownership of files it createslogin
,adduser
, andauth-type
changessso
,saml
&legacy
have been consolidated into"legacy"
auth-type
defaults to"web"
login
andadduser
are now separate commands that send different data tothe registry.
auth-type
config valuesweb
andlegacy
only trytheir respective methods, npm no longer tries them all and waits to see
which one doesn't fail.
npm pack
now follows a strict order of operations when applying ignore rules. If afiles
array is present in thepackage.json
, then rules in.gitignore
and.npmignore
files from the root will be ignored.HEAD
instead ofmaster
as the default reftiming
andloglevel
changestiming
has been removed as a value for--loglevel
--timing
will show timing information regardless of--loglevel
, except when--silent
--timing
file changes:--timing
flag,npm
now writes timing data to afile alongside the debug log data, respecting the
logs-dir
option andfalling back to
<CACHE>/_logs/
dir, instead of directly inside thecache directory.
each run will create a uniquely named
<ID>-timing.json
file, with the<ID>
portion being the same as the debug log.metadata
,timers
, andunfinishedTimers
instead of everything beinga top level key.
npm
now outputs some json errors on stdout. Previouslynpm
would output all json formatted errors on stderr, making it difficult to parse as the stderr stream usually has logs already written to it. In the future,npm
will differentiate between errors and crashes. Errors, such asE404
andERESOLVE
, will be handled and will continue to be output on stdout. In the case of a crash,npm
will log the error as usual but will not attempt to display it as json, even in--json
mode. Moving a case from the category of an error to a crash will not be considered a breaking change. For more information see npm/rfcs#482.--install-strategy
--global-style
,--global
now sets--install-strategy=shallow
--legacy-bundling
, now sets--install-strategy=nested
npm config set
will no longer accept deprecated or invalid config optionsinstall-links
config defaults to"true"
node-version
config has been removednpm-version
config has been removednpm access
subcommands have been renamednpm birthday
has been removednpm set-script
has been removednpm bin
has been removed (usenpx
ornpm exec
to execute binaries)Features
a09e19d
#5696 introduce thenpm config fix
command (@nlf)d2963c6
explicitly validate config within the cli (@nlf)a5fec08
rewrite: docs generation (@lukekarrys)9609e9e
#5605 use v3 lockfiles by default (@fritzy)3ae796d
implement newnpm-packlist
behavior (@lukekarrys)e64d69a
#5581 write eresolve error files to the logs directory (@lukekarrys)3445da0
timings are now written alongside debug log files (@lukekarrys)66ed584
#5551 defaultauth-type
to"web"
(@wraithgar)6ee5b32
query: displayqueryContext
in results (@nlf)314311c
#5550 separatelogin
/adduser
& remove unnecessary auth types (@wraithgar)9c32c6c
rewrite:npm access
(@wraithgar)854521b
rewrite:libnpmaccess
(@wraithgar)e95017a
#5485 feat(workspaces): update supported node engines inpackage.json
(@lukekarrys)de2d33f
add--install-strategy=hoisted|nested|shallow
, deprecate--global-style
,--legacy-bundling
(#5709) (@fritzy)49bbb2f
#5455 removenpm birthday
(@wraithgar)926f0ad
#5456 removenpm set-script
(@wraithgar)2a8c2fc
#5458 defaultinstall-links
to"true"
(@wraithgar)2e92800
#5459 removenpm bin
(@wraithgar)457d388
#5475 update supported node engines in package.json (@wraithgar)46d038f
#5716 output json formatted errors onstdout
(@lukekarrys)0a69db4
#5719 refuse to set deprecated/invalid config (@wraithgar)6e4961f
separate configs for--timing
and--loglevel
(@lukekarrys)6a27a7b
#5712 deprecatedkey
,cert
config options and updated registry scoped auth docs (@fritzy)Bug Fixes
c3d7549
add tag to publish log message (@wraithgar)a35c784
#5691 config: removenode-version
andnpm-version
(@wraithgar)e4e8ae2
libnpmpack: obeyforegroundScripts
(@winterqt)07fabc9
#5633npm link
should override--install-links
(@fritzy)02fcbb6
#5634 ensureArborist
constructor gets passed around everywhere forpacote
(@nlf)0d90a01
#5480 audit: add a condition to allow third-party registries returning E400 (@juanheyns, Juan Heyns)41481f8
#5475 attempt more graceful failure in older node versions (@wraithgar)fc82298
#5295npm hook ls
duplicates hook name prefixes (@gennadiygashev)3f1fcf0
account for newnpm-package-arg
behavior (@wraithgar)353b5bb
#5710 removechownr
andmkdirp-infer-owner
(@nlf)Documentation
285b39f
#5324 add documentation for expanded:semver
selector (@nlf)fd0eebe
update registry docs header (@hughlilly)542efdb
updatefolders
page for modern npm (@shalvah)f37caad
#5606 accurately describeinstall-links
effect on relative paths (@lukekarrys)130bc9f
#5626 remove circular reference (#5626) (@giovanniPepi)f0e7584
#5601 update docs/logging for new--access
default (@wraithgar)2d756cb
#5527 add instruction to query objects withnpm view
(@moonith)8743366
#5519 add hash to "tag" config link (@mrienstra, @lukekarrys)5645c51
#5521 link mentions of config parameters (@mrienstra)19762b4
#5529 modify misleading doc about bins (@Hafizur046)19762b4
#5529 modify misleading doc about package.json:bin (@Hafizur046)8402fd8
#5547 add:outdated
pseudo selector to docs (@nlf)Dependencies
df77a1f
#5707 Update Major Versions of DependenciesUpdated:
@npmcli/config@6.0.1
@npmcli/disparity-colors@3.0.0
@npmcli/git@4.0.1
@npmcli/installed-package-contents@2.0.0
@npmcli/map-workspaces@3.0.0
@npmcli/metavuln-calculator@5.0.0
@npmcli/move-file@3.0.0
@npmcli/node-gyp@3.0.0
@npmcli/package-json@3.0.0
@npmcli/promise-spawn@4.0.0
@npmcli/query@3.0.0
@npmcli/run-script@5.0.0
bin-links@4.0.1
cacache@17.0.1
ignore-walk@6.0.0
init-package-json@4.0.1
json-parse-even-better-errors@3.0.0
make-fetch-happen@11.0.1
normalize-package-data@5.0.0
npm-audit-report@4.0.0
npm-install-checks@6.0.0
npm-packlist@7.0.1
npm-pick-manifest@8.0.1
npm-profile@7.0.1
npm-registry-fetch@14.0.2
npmlog@7.0.0
pacote@15.0.1
parse-conflict-json@3.0.0
proc-log@3.0.0
read-package-json-fast@3.0.1
read-package-json@6.0.0
ssri@10.0.0
treeverse@3.0.0
validate-npm-package-name@5.0.0
write-file-atomic@5.0.0
Removed:
@npmcli/fs
9.0.1
9.0.1 (2022-10-26)
Documentation
b5fadd0
#5742 Better npx link (#5742) (@mrienstra)Dependencies
de6618e
#5757@npmcli/promise-spawn@5.0.0
(#5757)5625274
#5755hosted-git-info@6.1.0
(#5755)32bdd68
#5754npm-packlist@7.0.2
(#5754)@npmcli/arborist@6.1.0
libnpmdiff@5.0.1
libnpmexec@5.0.1
libnpmfund@4.0.1
libnpmpack@5.0.1
libnpmpublish@7.0.1
9.1.0
9.1.0 (2022-11-02)
Features
706b3d3
#5779 set --no-audit when installing outside of a project (like --global) (@fritzy)Bug Fixes
1f5382d
#5789 don't setstdioString
for any spawn/run-script calls (@lukekarrys)8fd614a
use promiseSpawn.open instead of opener (@nlf)41843ad
use an absolute path to notepad.exe by default, correct docs (@nlf)0c5834e
#5758 use hosted-git-info to parse registry urls (#5758) (@lukekarrys)Documentation
ce6745c
#5763 fixed some typos (#5763) (@AndrewDawes)Dependencies
b89c19e
#5795cli-table3@0.6.3
6b6dfca
fastest-levenshtein@1.0.16
9972ed1
@npmcli/ci-detect@3.0.1
024e612
abbrev@2.0.0
66f9bcd
nopt@7.0.0
5730d17
tar@6.1.12
2fef570
node-gyp@9.3.0
abfb28b
@npmcli/run-script@6.0.0
205e2fd
pacote@15.0.6
ac25863
remove opener,@npmcli/promise-spawn@6.0.1
,@npmcli/run-script@5.1.1
,@npmcli/git@4.0.3
,pacote@15.0.5
,which@3.0.0
@npmcli/arborist@6.1.1
@npmcli/config@6.1.0
libnpmdiff@5.0.2
libnpmexec@5.0.2
libnpmfund@4.0.2
libnpmpack@5.0.2
libnpmpublish@7.0.2
libnpmversion@4.0.1
9.1.1
9.1.1 (2022-11-09)
Documentation
1bff064
#5819 config: documentnpm config fix
(#5819) (@wraithgar)Dependencies
335c7e4
#5813cacache@17.0.2
878ddfb
@npmcli/fs@3.1.0
@npmcli/arborist@6.1.2
libnpmdiff@5.0.3
libnpmexec@5.0.3
libnpmfund@4.0.3
libnpmpack@5.0.3
libnpmpublish@7.0.3
9.1.2
9.1.2 (2022-11-16)
Bug Fixes
d9654cf
#5861 remove unwanted package.json entries (#5861) (@wraithgar)Dependencies
a351685
#5858 move from @npmcli/ci-detect to ci-info (#5858)@npmcli/arborist@6.1.3
libnpmdiff@5.0.4
libnpmexec@5.0.4
libnpmfund@4.0.4
libnpmpack@5.0.4
libnpmpublish@7.0.4
9.1.3
9.1.3 (2022-11-30)
Bug Fixes
ffbdea2
#5894 npm pack filename on scoped packages (#5894) (@HenryNguyen5)c26d708
#5884 validate username at get-identity (#5884) (@sosoba, @nlf)Documentation
ea948dc
#5881 update description of npm exec (#5881) (@styfle, @wraithgar)40f2c21
#5865 ci-info url (#5865) (@wraithgar)681a45b
#5875 run the comand for directory workspaces (#5875) (@1aron)681a45b
#5875 add workspace directory example (#5875) (@1aron)Dependencies
@npmcli/arborist@6.1.4
libnpmdiff@5.0.5
libnpmexec@5.0.5
libnpmfund@4.0.5
libnpmpack@5.0.5
libnpmpublish@7.0.5