release: npm@6.3.0

AUTHORS

@@ -584,3 +584,10 @@ Geoffrey Mattie <info@geoffreymattie.com>
 Luis Lobo Borobia <luislobo@gmail.com>
 Aaron Tribou <tribou@users.noreply.github.com>
 刘祺 <gucong@gmail.com>
+Brad Johnson <bradsk88@gmail.com>
+Artem Varaksa <aymfst@gmail.com>
+Mary <Ipadlover8322@gmail.com>
+Darryl Pogue <dvpdiner2@gmail.com>
+Rick Schubert <rickschubert@gmx.de>
+Daniel W <dwilches@gmail.com>
+XhmikosR <xhmikosr@gmail.com>

CHANGELOG.md

@@ -1,3 +1,76 @@
+## v6.3.0 (2018-07-25):
+
+### NEW FEATURES
+
+* [`ad0dd226f`](https://github.com/npm/npm/commit/ad0dd226fb97a33dcf41787ae7ff282803fb66f2)
+  [npm/cli#26](https://github.com/npm/cli/pull/26)
+  `npm version` now supports a `--preid` option to specify the preid for
+  prereleases. For example, `npm version premajor --preid rc` will tag a version
+  like `2.0.0-rc.0`.
+  ([@dwilches](https://github.com/dwilches))
+
+### MESSAGING IMPROVEMENTS
+
+* [`c1dad1e99`](https://github.com/npm/npm/commit/c1dad1e994827f2eab7a13c0f6454f4e4c22ebc2)
+  [npm/cli#6](https://github.com/npm/cli/pull/6)
+  Make `npm audit fix` message provide better instructions for vulnerabilities
+  that require manual review.
+  ([@bradsk88](https://github.com/bradsk88))
+* [`15c1130fe`](https://github.com/npm/npm/commit/15c1130fe81961706667d845aad7a5a1f70369f3)
+  Fix missing colon next to tarball url in new `npm view` output.
+  ([@zkat](https://github.com/zkat))
+* [`21cf0ab68`](https://github.com/npm/npm/commit/21cf0ab68cf528d5244ae664133ef400bdcfbdb6)
+  [npm/cli#24](https://github.com/npm/cli/pull/24)
+  Use the defaut OTP explanation everywhere except when the context is
+  "OTP-aware" (like when setting double-authentication). This improves the
+  overall CLI messaging when prompting for an OTP code.
+  ([@jdeniau](https://github.com/jdeniau))
+
+### MISC
+
+* [`a9ac8712d`](https://github.com/npm/npm/commit/a9ac8712dfafcb31a4e3deca24ddb92ff75e942d)
+  [npm/cli#21](https://github.com/npm/cli/pull/21)
+  Use the extracted `stringify-package` package.
+  ([@dpogue](https://github.com/dpogue))
+* [`9db15408c`](https://github.com/npm/npm/commit/9db15408c60be788667cafc787116555507dc433)
+  [npm/cli#27](https://github.com/npm/cli/pull/27)
+  `wrappy` was previously added to dependencies in order to flatten it, but we
+  no longer do legacy-style for npm itself, so it has been removed from
+  `package.json`.
+  ([@rickschubert](https://github.com/rickschubert))
+
+### DOCUMENTATION
+
+* [`3242baf08`](https://github.com/npm/npm/commit/3242baf0880d1cdc0e20b546d3c1da952e474444)
+  [npm/cli#13](https://github.com/npm/cli/pull/13)
+  Update more dead links in README.md.
+  ([@u32i64](https://github.com/u32i64))
+* [`06580877b`](https://github.com/npm/npm/commit/06580877b6023643ec780c19d84fbe120fe5425c)
+  [npm/cli#19](https://github.com/npm/cli/pull/19)
+  Update links in docs' `index.html` to refer to new bug/PR URLs.
+  ([@watilde](https://github.com/watilde))
+* [`ca03013c2`](https://github.com/npm/npm/commit/ca03013c23ff38e12902e9569a61265c2d613738)
+  [npm/cli#15](https://github.com/npm/cli/pull/15)
+  Fix some typos in file-specifiers docs.
+  ([@Mstrodl](https://github.com/Mstrodl))
+* [`4f39f79bc`](https://github.com/npm/npm/commit/4f39f79bcacef11bf2f98d09730bc94d0379789b)
+  [npm/cli#16](https://github.com/npm/cli/pull/16)
+  Fix some typos in file-specifiers and package-lock docs.
+  ([@watilde](https://github.com/watilde))
+* [`35e51f79d`](https://github.com/npm/npm/commit/35e51f79d1a285964aad44f550811aa9f9a72cd8)
+  [npm/cli#18](https://github.com/npm/cli/pull/18)
+  Update build status badge url in README.
+  ([@watilde](https://github.com/watilde))
+* [`a67db5607`](https://github.com/npm/npm/commit/a67db5607ba2052b4ea44f66657f98b758fb4786)
+  [npm/cli#17](https://github.com/npm/cli/pull/17/)
+  Replace TROUBLESHOOTING.md with [posts in
+  npm.community](https://npm.community/c/support/troubleshooting).
+  ([@watilde](https://github.com/watilde))
+* [`e115f9de6`](https://github.com/npm/npm/commit/e115f9de65bf53711266152fc715a5012f7d3462)
+  [npm/cli#7](https://github.com/npm/cli/pull/7)
+  Use https URLs in documentation when appropriate. Happy [Not Secure Day](https://arstechnica.com/gadgets/2018/07/todays-the-day-that-chrome-brands-plain-old-http-as-not-secure/)!
+  ([@XhmikosR](https://github.com/XhmikosR))
+
 ## v6.2.0 (2018-07-13):
 
 In case you missed it, [we
@@ -13,7 +86,8 @@ quite ready on time but that we'd still like to include. Enjoy!
 
 * [`244b18380`](https://github.com/npm/npm/commit/244b18380ee55950b13c293722771130dbad70de)
   [#20554](https://github.com/npm/npm/pull/20554)
-  add support for --parseable output
+  Add support for tab-separated output for `npm audit` data with the
+  `--parseable` flag.
   ([@luislobo](https://github.com/luislobo))
 * [`7984206e2`](https://github.com/npm/npm/commit/7984206e2f41b8d8361229cde88d68f0c96ed0b8)
   [#12697](https://github.com/npm/npm/pull/12697)

CONTRIBUTING.md

@@ -35,7 +35,7 @@ This includes anyone who may show up to the npm/npm repo with issues, PRs, comme
 * Comment on issues when they have a reference to the answer.
 * If community members aren't sure they are correct and don't have a reference to the answer, please leave the issue and try another one.
 * Defer to collaborators and npm employees for answers.
-* Make sure to search for [the troubleshooting doc](./TROUBLESHOOTING.md) and search on the issue tracker for similar issues before opening a new one.
+* Make sure to search for [the troubleshooting posts on npm.community](https://npm.community/c/support/troubleshooting) and search on the issue tracker for similar issues before opening a new one.
 * Any users with urgent support needs are welcome to email support@npmjs.com, and our dedicated support team will be happy to help.
 
 PLEASE don't @ collaborators or npm employees on issues. The CLI team is small, and has many outstanding commitments to fulfill.

README.md

@@ -1,7 +1,7 @@
 npm(1) -- a JavaScript package manager
 ==============================
 
-[![Build Status](https://img.shields.io/travis/npm/npm/latest.svg)](https://travis-ci.org/npm/npm)
+[![Build Status](https://img.shields.io/travis/npm/cli/latest.svg)](https://travis-ci.org/npm/cli)
 
 ## SYNOPSIS
 
@@ -88,7 +88,7 @@ experience if you run a recent version of npm. To upgrade, either use [Microsoft
 upgrade tool](https://github.com/felixrieseberg/npm-windows-upgrade),
 [download a new version of Node](https://nodejs.org/en/download/),
 or follow the Windows upgrade instructions in the
-[npm Troubleshooting Guide](./TROUBLESHOOTING.md).
+[Installing/upgrading npm](https://npm.community/t/installing-upgrading-npm/251/2) post.
 
 If that's not fancy enough for you, then you can fetch the code with
 git, and mess with it directly.

doc/cli/npm-hook.md

@@ -48,7 +48,7 @@ $ npm hook rm id-deadbeef
 ## DESCRIPTION
 
 Allows you to manage [npm
-hooks](http://blog.npmjs.org/post/145260155635/introducing-hooks-get-notifications-of-npm),
+hooks](https://blog.npmjs.org/post/145260155635/introducing-hooks-get-notifications-of-npm),
 including adding, removing, listing, and updating.
 
 Hooks allow you to configure URL endpoints that will be notified whenever a
@@ -69,4 +69,4 @@ request came from your own configured hook.
 
 ## SEE ALSO
 
-* ["Introducing Hooks" blog post](http://blog.npmjs.org/post/145260155635/introducing-hooks-get-notifications-of-npm)
+* ["Introducing Hooks" blog post](https://blog.npmjs.org/post/145260155635/introducing-hooks-get-notifications-of-npm)

doc/cli/npm-run-script.md

@@ -15,9 +15,9 @@ used by the test, start, restart, and stop commands, but can be called
 directly, as well. When the scripts in the package are printed out, they're
 separated into lifecycle (test, start, restart) and directly-run scripts.
 
-As of [`npm@2.0.0`](http://blog.npmjs.org/post/98131109725/npm-2-0-0), you can
+As of [`npm@2.0.0`](https://blog.npmjs.org/post/98131109725/npm-2-0-0), you can
 use custom arguments when executing scripts. The special option `--` is used by
-[getopt](http://goo.gl/KxMmtG) to delimit the end of the options. npm will pass
+[getopt](https://goo.gl/KxMmtG) to delimit the end of the options. npm will pass
 all the arguments after the `--` directly to your script:
 
     npm run test -- --grep="pattern"

doc/cli/npm-start.md

@@ -11,7 +11,7 @@ This runs an arbitrary command specified in the package's `"start"` property of
 its `"scripts"` object. If no `"start"` property is specified on the
 `"scripts"` object, it will run `node server.js`.
 
-As of [`npm@2.0.0`](http://blog.npmjs.org/post/98131109725/npm-2-0-0), you can
+As of [`npm@2.0.0`](https://blog.npmjs.org/post/98131109725/npm-2-0-0), you can
 use custom arguments when executing scripts. Refer to npm-run-script(1) for
 more details.
 

doc/cli/npm-version.md

@@ -3,7 +3,7 @@ npm-version(1) -- Bump a package version
 
 ## SYNOPSIS
 
-    npm version [<newversion> | major | minor | patch | premajor | preminor | prepatch | prerelease | from-git]
+    npm version [<newversion> | major | minor | patch | premajor | preminor | prepatch | prerelease [--preid=<prerelease-id>] | from-git]
 
     'npm [-v | --version]' to print npm version
     'npm view <pkg> version' to view a package's published version

doc/cli/npm.md

@@ -140,7 +140,7 @@ reproduction to report.
 
 [Isaac Z. Schlueter](http://blog.izs.me/) ::
 [isaacs](https://github.com/isaacs/) ::
-[@izs](http://twitter.com/izs) ::
+[@izs](https://twitter.com/izs) ::
 <i@izs.me>
 
 ## SEE ALSO

doc/files/package.json.md

@@ -106,7 +106,7 @@ Ideally you should pick one that is
 [OSI](https://opensource.org/licenses/alphabetical) approved.
 
 If your package is licensed under multiple common licenses, use an [SPDX license
-expression syntax version 2.0 string](https://npmjs.com/package/spdx), like this:
+expression syntax version 2.0 string](https://www.npmjs.com/package/spdx), like this:
 
     { "license" : "(ISC OR GPL-3.0)" }
 
@@ -608,7 +608,7 @@ Trying to install another plugin with a conflicting requirement will cause an
 error. For this reason, make sure your plugin requirement is as broad as
 possible, and not to lock it down to specific patch versions.
 
-Assuming the host complies with [semver](http://semver.org/), only changes in
+Assuming the host complies with [semver](https://semver.org/), only changes in
 the host package's major version will break your plugin. Thus, if you've worked
 with every 1.x version of the host package, use `"^1.0"` or `"1.x"` to express
 this. If you depend on features introduced in 1.5.2, use `">= 1.5.2 < 2"`.

doc/misc/npm-config.md

@@ -798,6 +798,14 @@ for updates immediately even for fresh package data.
 The location to install global items.  If set on the command line, then
 it forces non-global commands to run in the specified folder.
 
+### preid
+
+* Default: ""
+* Type: String
+
+The "prerelease identifier" to use as a prefix for the "prerelease" part of a
+semver. Like the `rc` in `1.2.0-rc.8`.
+
 ### production
 
 * Default: false

doc/misc/npm-disputes.md

@@ -102,8 +102,8 @@ here to help.**
 
 If you think another npm publisher is infringing your trademark, such as by
 using a confusingly similar package name, email <abuse@npmjs.com> with a link to
-the package or user account on [https://npmjs.com](https://npmjs.com). Attach a
-copy of your trademark registration certificate.
+the package or user account on [https://www.npmjs.com/](https://www.npmjs.com/).
+Attach a copy of your trademark registration certificate.
 
 If we see that the package's publisher is intentionally misleading others by
 misusing your registered mark without permission, we will transfer the package

doc/misc/npm-registry.md

@@ -81,7 +81,7 @@ effectively implement the entire CouchDB API anyway.
 
 ## Is there a website or something to see package docs and such?
 
-Yes, head over to <https://npmjs.com/>
+Yes, head over to <https://www.npmjs.com/>
 
 ## SEE ALSO
 

doc/spec/file-specifiers.md

@@ -14,7 +14,7 @@ URLs and URL-like strings for other types.
   slashes on a file specifier will be removed, that is 'file://../foo/bar`
   references the same package as same as `file:../foo/bar`.  The latter is
   considered canonical.
-* Attempting to install a specifer that has a windows drive letter will
+* Attempting to install a specifier that has a windows drive letter will
   produce an error on non-Windows systems.
 * A valid `file:` specifier points is:
   * a valid package file. That is, a `.tar`, `.tar.gz` or `.tgz` containing
@@ -64,7 +64,7 @@ down the destination package's `node_modules` you should create a shrinkwrap for
 separately.
 
 This is necessary to support the mono repo use case where many projects file
-to the same package.  If each project included its own npm-shrinkwrap.json
+to the same package.  If each project included its own `npm-shrinkwrap.json`
 then they would each have their own distinct set of transitive dependencies
 and they'd step on each other any time you ran an install in one or the other.
 
@@ -75,7 +75,7 @@ shrinkwrapped packages.
 
 #### File type specifiers pointing at tarballs
 
-File-type specifiers pointing at a `.tgz` or `.tar.gz or `.tar` file will
+File-type specifiers pointing at a `.tgz` or `.tar.gz` or `.tar` file will
 install it as a package file in the same way we would a remote tarball.  The
 checksum of the package file should be recorded so that we can check for updates.
 
@@ -134,7 +134,7 @@ example-package@1.0.0 /path/to/example-package
 +-- a -> file:../a
 ```
 
-Of note here: No version is included as the relavent detail is WHERE the
+Of note here: No version is included as the relevant detail is WHERE the
 package came from, not what version happened to be in that path.
 
 ### Outdated

doc/spec/package-lock.md

@@ -269,7 +269,7 @@ nothing requires it any more.
 ## Additional fields / Adding new fields
 
 Installers should ignore any field they aren't aware of.  It's not an error
-to have additional properities in the package-lock or lock file.
+to have additional properties in the package-lock or lock file.
 
 Installers that want to add new fields should either have one added via RFC
 in the npm issue tracker and an accompanying documentation PR, or should prefix

html/index.html

@@ -56,7 +56,7 @@
 </head>
 <h1>npm</h1>
 
-<p>npm is a package manager for <a href="http://nodejs.org/">node</a>.  You can use it to install
+<p>npm is a package manager for <a href="https://nodejs.org/">node</a>.  You can use it to install
   and publish your node programs.  It manages dependencies and does other cool stuff.</p>
 
 <h2>Easy Zero Line Install</h2>
@@ -69,7 +69,7 @@ <h2>Easy Zero Line Install</h2>
 <h2>Fancy Install</h2>
 
 <ol>
-  <li><a href="https://github.com/npm/npm">Get the code.</a>
+  <li><a href="https://github.com/npm/cli">Get the code.</a>
   <li>Do what <a href="doc/README.html">the README</a>
       says to do.
 </ol>
@@ -86,7 +86,7 @@ <h2>Other Cool Stuff</h2>
   <li><a href="doc/README.html">README</a>
   <li><a href="doc/">Help Documentation</a>
   <li><a href="https://www.npmjs.com/">Search for Packages</a>
-  <li><a href="https://github.com/npm/npm/issues">Bugs</a>
+  <li><a href="https://npm.community/">Bugs</a>
 </ul>
 
 </body>

lib/audit.js

@@ -249,7 +249,8 @@ function auditCmd (args, cb) {
               if (installMajor) {
                 output('  (installed due to `--force` option)')
               } else {
-                output('  (use `npm audit fix --force` to install breaking changes; or do it by hand)')
+                output('  (use `npm audit fix --force` to install breaking changes;' +
+                       ' or refer to `npm audit` for steps to fix these manually)')
               }
             }
           }

lib/auth/legacy.js

@@ -52,7 +52,7 @@ function login (conf) {
     })
     .catch((err) => {
       if (err.code !== 'EOTP') throw err
-      return read.otp('Authenticator provided OTP:').then((otp) => {
+      return read.otp('Enter one-time password from your authenticator app: ').then((otp) => {
         conf.auth.otp = otp
         const u = conf.creds.username
         const p = conf.creds.password