deps: upgrade npm to 6.1.0
Checklist
-
make test-npm
passes -
commit message follows commit guidelines
Where this should land
- Node 10
- Node 8
Breaking changes
This is a major release, so it does include breaking changes. They are, however, very minor and important:
-
npm update
andnpm outdated
now will not suggest versions greater than the version tagged aslatest
. This is in alignment with the use of tags for release trains or experimental versions, while not requiring the use of prerelease version numbers. -
npm install
will now do its best to avoid versions that are marked as deprecated. That is makesnpm deprecate
similar to how thegem yank
command works in ruby. If you specifically ask for a deprecated version you will still get it. -
npm
will now report that it no longer supports node v4 and node v7.
Notable changes
- Flattening npm's dependency tree to take advantage of the MacOS installer rewrite will fix #19449 (closed)
-
npm init
now can take an argument and it will run a matchingcreate-…
script from the registry. An amalgam ofnpx
andyarn create
. -
npm audit
provides a vulnerability scanner. The registry side of this will be available soon. Details are discussed in the CHANGELOG -
npm audit fix
to help users automatically fix vulnerabilities found withnpm audit
. - Webhook management is now included with the cli as the
npm hook
command. Previously this functionality was found in the modulewombat
. With webhooks you can request notification whenever a package updates. - Rewrite binaries less. Previously if we found a CRLF in a binary that had a shebang then we would convert the entire file to unix line endings. With this change we only convert the shebang line itself.
- Eliminate use of
new Buffer
in npm - Rewritten and prettier
npm view
-
npm pack
andnpm publish
previews when running them with--dry-run
-
npm ci
, new, faster, lock-file only install mode andnpm cit
to install and test - Automatic git merge conflict resolution on conflicts in lock-files.
- A slew of bug fixes are stabilizing lock-files when using partial installs (eg,
--only=production
,--no-optional
, etc)