v6.4.1

BUGFIXES

• 4bd40f543 #42 Prevent blowing up on malformed responses from the npm audit endpoint, such as with third-party registries. (@framp)
• 0e576f0aa #46 Fix NO_PROXY support by renaming npm-side config to --noproxy. The environment variable should still work. (@SneakyFish5)
• d8e811d6a #33 Disable update-notifier checks when a CI environment is detected. (@Sibiraj-S)
• 1bc5b8cea #47 Fix issue where postpack scripts would break if pack was used with --dry-run. (@larsgw)

DEPENDENCY BUMPS

• 4c57316d5 [email protected] (@zkat)
• 85f4d7905 [email protected] (@zkat)
• d20ac242a [email protected]: No real changes in npm-packlist, but npm-bundled included a circular dependency fix, as well as adding a proper LICENSE file. (@isaacs)
• e8d5f4418 npm.community#632 [email protected]: Fixes issue where npm ci wasn't running the prepare lifecycle script when installing git dependencies (@edahlseng)
• a5e6f78e9 [email protected]: Fixes memory leak problem when streaming large files (like legacy npm search). (@daern91)
• 3b940331d npm.community#1042 [email protected]: Fixes issue for Windows user where multiple Path/PATH variables were being added to the environment and breaking things in all sorts of fun and interesting ways. (@JimiC)
• d612d2ce8 [email protected] (@iarna)
• 1f6ba1cb1 [email protected] (@domenic)
• 37b8f405f [email protected] (@mikeal)
• bb91a2a14 [email protected] (@iarna)
• 30bc9900a [email protected]: Adds support for two more CI services (@watson)
• 1d2fa4ddd [email protected] (@joshbruce)

DOCUMENTATION

• 08ecde292 #54 Mention registry terms of use in manpage and registry docs and update language in README for it. (@kemitchell)
• de956405d #41 Add documentation for --dry-run in install and pack docs. (@reconbot)
• 95031b90c #48 Update republish time and lightly reorganize republish info. (@neverett)
• 767699b68 #53 Correct [email protected] release date in changelog. (@charmander)
• 3fea3166e #55 Align command descriptions in help text. (@erik)

v6.4.1-next.0

This release became [email protected].

v6.4.0

NEW FEATURES

• 6e9f04b0b npm/cli#8 Search for authentication token defined by environment variables by preventing the translation layer from env variable to npm option from breaking :_authToken. (@mkhl)
• 84bfd23e7 npm/cli#35 Stop filtering out non-IPv4 addresses from local-addrs, making npm actually use IPv6 addresses when it must. (@valentin2105)
• 792c8c709 npm/cli#31 configurable audit level for non-zero exit npm audit currently exits with exit code 1 if any vulnerabilities are found of any level. Add a flag of --audit-level to npm audit to allow it to pass if only vulnerabilities below a certain level are found. Example: npm audit --audit-level=high will exit with 0 if only low or moderate level vulns are detected. (@lennym)

BUGFIXES

• d81146181 npm/cli#32 Don't check for updates to npm when we are updating npm itself. (@olore)

DEPENDENCY UPDATES

A very special dependency update event! Since the release of [email protected], an awkward version conflict that was preventing request from begin flattened was resolved. This means two things:

1. We've cut down the npm tarball size by another 200kb, to 4.6MB
2. npm audit now shows no vulnerabilities for npm itself!

Thanks, @rvagg!

• 866d776c2 [email protected] (@simov)
• f861c2b57 [email protected] (@rvagg)
• 32e6947c6 npm/cli#39 [email protected]: REVERT REVERT, newer versions of this library are broken and print ansi codes even when disabled. (@iarna)
• beb96b92c [email protected] (@zkat)
• 348fc91ad [email protected]: Fixes errors with empty or string-only license fields. (@Gudahtt)
• e57d34575 [email protected] (@shesek)
• 46f1c6ad4 [email protected] (@isaacs)
• 50df1bf69 [email protected] (@iarna)
  (@Erveon) (@huochunpeng)

DOCUMENTATION

• af98e76ed npm/cli#34 Remove npm publish from list of commands not affected by --dry-run. (@joebowbeer)
• e2b0f0921 npm/cli#36 Tweak formatting in repository field examples. (@noahbenham)
• e2346e770 npm/cli#14 Used process.env examples to make accessing certain npm run-scripts environment variables more clear. (@mwarger)

v6.4.0-next.0

This release became [email protected].

v6.3.0

This is basically the same as the prerelease, but two dependencies have been bumped due to bugs that had been around for a while.

• 0a22be42e [email protected] (@zkat)
• 0096f6997 [email protected] (@zkat)

v6.3.0-next.0

NEW FEATURES

• ad0dd226f npm/cli#26 npm version now supports a --preid option to specify the preid for prereleases. For example, npm version premajor --preid rc will tag a version like 2.0.0-rc.0. (@dwilches)

MESSAGING IMPROVEMENTS

• c1dad1e99 npm/cli#6 Make npm audit fix message provide better instructions for vulnerabilities that require manual review. (@bradsk88)
• 15c1130fe Fix missing colon next to tarball url in new npm view output. (@zkat)
• 21cf0ab68 npm/cli#24 Use the defaut OTP explanation everywhere except when the context is "OTP-aware" (like when setting double-authentication). This improves the overall CLI messaging when prompting for an OTP code. (@jdeniau)

MISC

• a9ac8712d npm/cli#21 Use the extracted stringify-package package. (@dpogue)
• 9db15408c npm/cli#27 wrappy was previously added to dependencies in order to flatten it, but we no longer do legacy-style for npm itself, so it has been removed from package.json. (@rickschubert)

DOCUMENTATION

• 3242baf08 npm/cli#13 Update more dead links in README.md. (@u32i64)
• 06580877b npm/cli#19 Update links in docs' index.html to refer to new bug/PR URLs. (@watilde)
• ca03013c2 npm/cli#15 Fix some typos in file-specifiers docs. (@Mstrodl)
• 4f39f79bc npm/cli#16 Fix some typos in file-specifiers and package-lock docs. (@watilde)
• 35e51f79d npm/cli#18 Update build status badge url in README. (@watilde)
• a67db5607 npm/cli#17 Replace TROUBLESHOOTING.md with posts in npm.community. (@watilde)
• e115f9de6 npm/cli#7 Use https URLs in documentation when appropriate. Happy Not Secure Day! (@XhmikosR)

v6.2.0

In case you missed it, we moved!. We look forward to seeing future PRs landing in npm/cli in the future, and we'll be chatting with you all in npm.community. Go check it out!

This final release of [email protected] includes a couple of features that weren't quite ready on time but that we'd still like to include. Enjoy!

FEATURES

• 244b18380 #20554 add support for --parseable output (@luislobo)
• 7984206e2 #12697 Add new sign-git-commit config to control whether the git commit itself gets signed, or just the tag (which is the default). (@tribou)

FIXES

• 4c32413a5 #19418 Do not use SET to fetch the env in git-bash or Cygwin. (@gucong3000)

DEPENDENCY BUMPS

• d9b2712a6 [email protected]: Downgraded to allow better deduplication. This does introduce a bunch of hoek-related audit reports, but they don't affect npm itself so we consider it safe. We'll upgrade request again once node-gyp unpins it. (@simov)
• 2ac48f863 [email protected] (@MylesBorins)
• 8dc6d7640 [email protected]: cli-table2 is unmaintained and required lodash. With this dependency bump, we've removed lodash from our tree, which cut back tarball size by another 300kb. (@Turbo87)
• 90c759fee [email protected] (@zkat)
• 4231a0a1e Add cli-table3 to bundleDeps. (@iarna)
• 322d9c2f1 Make standard happy. (@iarna)

DOCS

• 5724983ea #21165 Fix some markdown formatting in npm-disputes.md. (@hchiam)
• 738178315 #20920 Explicitly state that republishing an unpublished package requires a 72h waiting period. (@gmattie)
• f0a372b07 Replace references to the old repo or issue tracker. We're at npm/cli now! (@zkat)