Release: npm@6.4.1

AUTHORS

@@ -596,3 +596,8 @@ Valentin Ouvrard <valentin210594@gmail.com>
 Noah Benham <noahbenham@users.noreply.github.com>
 Brian Olore <brian@olore.net>
 Mat Warger <mwarger@gmail.com>
+Federico Rampazzo <frampone@gmail.com>
+SneakyFish5 <32284796+SneakyFish5@users.noreply.github.com>
+Nikki Everett <neverett@users.noreply.github.com>
+Erik Price <github@erikprice.net>
+Lars Willighagen <lars.willighagen@gmail.com>

CHANGELOG.md

@@ -1,4 +1,102 @@
-## v6.4.0 (2018-09-08):
+## v6.4.1 (2018-08-22):
+
+### BUGFIXES
+
+* [`4bd40f543`](https://github.com/npm/cli/commit/4bd40f543dc89f0721020e7d0bb3497300d74818)
+  [#42](https://github.com/npm/cli/pull/42)
+  Prevent blowing up on malformed responses from the `npm audit` endpoint, such
+  as with third-party registries.
+  ([@framp](https://github.com/framp))
+* [`0e576f0aa`](https://github.com/npm/cli/commit/0e576f0aa6ea02653d948c10f29102a2d4a31944)
+  [#46](https://github.com/npm/cli/pull/46)
+  Fix `NO_PROXY` support by renaming npm-side config to `--noproxy`. The
+  environment variable should still work.
+  ([@SneakyFish5](https://github.com/SneakyFish5))
+* [`d8e811d6a`](https://github.com/npm/cli/commit/d8e811d6adf3d87474982cb831c11316ac725605)
+  [#33](https://github.com/npm/cli/pull/33)
+  Disable `update-notifier` checks when a CI environment is detected.
+  ([@Sibiraj-S](https://github.com/Sibiraj-S))
+* [`1bc5b8cea`](https://github.com/npm/cli/commit/1bc5b8ceabc86bfe4777732f25ffef0f3de81bd1)
+  [#47](https://github.com/npm/cli/pull/47)
+  Fix issue where `postpack` scripts would break if `pack` was used with
+  `--dry-run`.
+  ([@larsgw](https://github.com/larsgw))
+
+### DEPENDENCY BUMPS
+
+* [`4c57316d5`](https://github.com/npm/cli/commit/4c57316d5633e940105fa545b52d8fbfd2eb9f75)
+  `figgy-pudding@3.4.1`
+  ([@zkat](https://github.com/zkat))
+* [`85f4d7905`](https://github.com/npm/cli/commit/85f4d79059865d5267f3516b6cdbc746012202c6)
+  `cacache@11.2.0`
+  ([@zkat](https://github.com/zkat))
+* [`d20ac242a`](https://github.com/npm/cli/commit/d20ac242aeb44aa3581c65c052802a02d5eb22f3)
+  `npm-packlist@1.1.11`:
+  No real changes in npm-packlist, but npm-bundled included a
+  circular dependency fix, as well as adding a proper LICENSE file.
+  ([@isaacs](https://github.com/isaacs))
+* [`e8d5f4418`](https://github.com/npm/cli/commit/e8d5f441821553a31fc8cd751670663699d2c8ce)
+  [npm.community#632](https://npm.community/t/https://npm.community/t/using-npm-ci-does-not-run-prepare-script-for-git-modules/632)
+  `libcipm@2.0.2`:
+  Fixes issue where `npm ci` wasn't running the `prepare` lifecycle script when
+  installing git dependencies
+  ([@edahlseng](https://github.com/edahlseng))
+* [`a5e6f78e9`](https://github.com/npm/cli/commit/a5e6f78e916873f7d18639ebdb8abd20479615a9)
+  `JSONStream@1.3.4`:
+  Fixes memory leak problem when streaming large files (like legacy npm search).
+  ([@daern91](https://github.com/daern91))
+* [`3b940331d`](https://github.com/npm/cli/commit/3b940331dcccfa67f92366adb7ffd9ecf7673a9a)
+  [npm.community#1042](https://npm.community/t/3-path-variables-are-assigned-to-child-process-launched-by-npm/1042)
+  `npm-lifecycle@2.1.0`:
+  Fixes issue for Windows user where multiple `Path`/`PATH` variables were being
+  added to the environment and breaking things in all sorts of fun and
+  interesting ways.
+  ([@JimiC](https://github.com/JimiC))
+* [`d612d2ce8`](https://github.com/npm/cli/commit/d612d2ce8fab72026f344f125539ecbf3746af9a)
+  `npm-registry-client@8.6.0`
+  ([@iarna](https://github.com/iarna))
+* [`1f6ba1cb1`](https://github.com/npm/cli/commit/1f6ba1cb174590c1f5d2b00e2ca238dfa39d507a)
+  `opener@1.5.0`
+  ([@domenic](https://github.com/domenic))
+* [`37b8f405f`](https://github.com/npm/cli/commit/37b8f405f35c861b7beeed56f71ad20b0bf87889)
+  `request@2.88.0`
+  ([@mikeal](https://github.com/mikeal))
+* [`bb91a2a14`](https://github.com/npm/cli/commit/bb91a2a14562e77769057f1b6d06384be6d6bf7f)
+  `tacks@1.2.7`
+  ([@iarna](https://github.com/iarna))
+* [`30bc9900a`](https://github.com/npm/cli/commit/30bc9900ae79c80bf0bdee0ae6372da6f668124c)
+  `ci-info@1.4.0`:
+  Adds support for two more CI services
+  ([@watson](https://github.com/watson))
+* [`1d2fa4ddd`](https://github.com/npm/cli/commit/1d2fa4dddcab8facfee92096cc24b299387f3182)
+  `marked@0.5.0`
+  ([@joshbruce](https://github.com/joshbruce))
+
+### DOCUMENTATION
+
+* [`08ecde292`](https://github.com/npm/cli/commit/08ecde2928f8c89a2fdaa800ae845103750b9327)
+  [#54](https://github.com/npm/cli/pull/54)
+  Mention registry terms of use in manpage and registry docs and update language
+  in README for it.
+  ([@kemitchell](https://github.com/kemitchell))
+* [`de956405d`](https://github.com/npm/cli/commit/de956405d8b72354f98579d00c6dd30ac3b9bddf)
+  [#41](https://github.com/npm/cli/pull/41)
+  Add documentation for `--dry-run` in `install` and `pack` docs.
+  ([@reconbot](https://github.com/reconbot))
+* [`95031b90c`](https://github.com/npm/cli/commit/95031b90ce0b0c4dcd5e4eafc86e3e5bfd59fb3e)
+  [#48](https://github.com/npm/cli/pull/48)
+  Update republish time and lightly reorganize republish info.
+  ([@neverett](https://github.com/neverett))
+* [`767699b68`](https://github.com/npm/cli/commit/767699b6829b8b899d5479445e99b0ffc43ff92d)
+  [#53](https://github.com/npm/cli/pull/53)
+  Correct `npm@6.4.0` release date in changelog.
+  ([@charmander](https://github.com/charmander))
+* [`3fea3166e`](https://github.com/npm/cli/commit/3fea3166eb4f43f574fcfd9ee71a171feea2bc29)
+  [#55](https://github.com/npm/cli/pull/55)
+  Align command descriptions in help text.
+  ([@erik](https://github.com/erik))
+
+## v6.4.0 (2018-08-09):
 
 ### NEW FEATURES
 

README.md

@@ -16,17 +16,14 @@ Much more info will be available via `npm help` once it's installed.
 To install an old **and unsupported** version of npm that works on node v5
 and prior, clone the git repo and dig through the old tags and branches.
 
-**npm is configured to use npm, Inc.'s public package registry at
-<https://registry.npmjs.org> by default.**
+**npm is configured to use npm, Inc.'s public registry at
+<https://registry.npmjs.org> by default.** Use of the npm public registry
+is subject to terms of use available at <https://www.npmjs.com/policies/terms>.
 
 You can configure npm to use any compatible registry you
 like, and even run your own registry. Check out the [doc on
 registries](https://docs.npmjs.com/misc/registry).
 
-Use of someone else's registry may be governed by terms of use. The
-terms of use for the default public registry are available at
-<https://www.npmjs.com>.
-
 ## Super Easy Install
 
 npm is bundled with [node](https://nodejs.org/en/download/).

bin/npm-cli.js

@@ -83,9 +83,11 @@
     ) {
       const pkg = require('../package.json')
       let notifier = require('update-notifier')({pkg})
+      const isCI = require('ci-info').isCI
       if (
         notifier.update &&
-        notifier.update.latest !== pkg.version
+        notifier.update.latest !== pkg.version &&
+        !isCI
       ) {
         const color = require('ansicolors')
         const useColor = npm.config.get('color')

doc/cli/npm-ci.md

@@ -39,9 +39,10 @@ cache:
 
 This command is similar to `npm-install(1)`, except it's meant to be used in
 automated environments such as test platforms, continuous integration, and
-deployment. It can be significantly faster than a regular npm install by
-skipping certain user-oriented features. It is also more strict than a regular
-install, which can help catch errors or inconsistencies caused by the
+deployment -- or any situation where you want to make sure you're doing a clean
+install of your dependencies. It can be significantly faster than a regular npm
+install by skipping certain user-oriented features. It is also more strict than
+a regular install, which can help catch errors or inconsistencies caused by the
 incrementally-installed local environments of most npm users.
 
 In short, the main differences between using `npm install` and `npm ci` are:

doc/cli/npm-pack.md

@@ -3,7 +3,7 @@ npm-pack(1) -- Create a tarball from a package
 
 ## SYNOPSIS
 
-    npm pack [[<@scope>/]<pkg>...]
+    npm pack [[<@scope>/]<pkg>...] [--dry-run]
 
 ## DESCRIPTION
 
@@ -18,6 +18,9 @@ overwritten the second time.
 
 If no arguments are supplied, then npm packs the current package folder.
 
+The `--dry-run` argument will do everything that pack usually does without
+actually packing anything. Reports on what would have gone into the tarball.
+
 ## SEE ALSO
 
 * npm-cache(1)

doc/cli/npm-publish.md

@@ -4,7 +4,7 @@ npm-publish(1) -- Publish a package
 
 ## SYNOPSIS
 
-    npm publish [<tarball>|<folder>] [--tag <tag>] [--access <public|restricted>] [--otp otpcode]
+    npm publish [<tarball>|<folder>] [--tag <tag>] [--access <public|restricted>] [--otp otpcode] [--dry-run]
 
     Publishes '.' if no argument supplied
     Sets tag 'latest' if no --tag specified
@@ -46,6 +46,10 @@ specifying a different default registry or using a `npm-scope(7)` in the name
   then you can provide a code from your authenticator with this. If you
   don't include this and you're running from a TTY then you'll be prompted.
 
+* `[--dry-run]`
+  Does everything publish would do except actually publishing to the registry.
+  Reports the details of what would have been published.
+
 Fails if the package name and version combination already exists in
 the specified registry.
 
@@ -57,9 +61,8 @@ As of `npm@5`, both a sha1sum and an integrity field with a sha512sum of the
 tarball will be submitted to the registry during publication. Subsequent
 installs will use the strongest supported algorithm to verify downloads.
 
-For a "dry run" that does everything except actually publishing to the
-registry, see `npm-pack(1)`, which figures out the files to be included and
-packs them into a tarball to be uploaded to the registry.
+Similar to `--dry-run` see `npm-pack(1)`, which figures out the files to be
+included and packs them into a tarball to be uploaded to the registry.
 
 ## SEE ALSO
 

doc/cli/npm-unpublish.md

@@ -24,14 +24,15 @@ If no version is specified, or if all versions are removed then
 the root package entry is removed from the registry entirely.
 
 Even if a package version is unpublished, that specific name and
-version combination can never be reused.  In order to publish the
-package again, a new version number must be used.
+version combination can never be reused. In order to publish the
+package again, a new version number must be used. Additionally,
+new versions of packages with every version unpublished may not
+be republished until 24 hours have passed.
 
 With the default registry (`registry.npmjs.org`), unpublish is
-only allowed with versions published in the last 72 hours.  Similarly,
-new versions of unpublished packages may not be republished until 72 hours
-have passed. If you are trying to unpublish a version published longer
-ago than that, contact support@npmjs.com.
+only allowed with versions published in the last 72 hours. If you
+are trying to unpublish a version published longer ago than that,
+contact support@npmjs.com.
 
 The scope is optional and follows the usual rules for `npm-scope(7)`.
 

doc/cli/npm.md

@@ -21,6 +21,16 @@ programs.
 
 Run `npm help` to get a list of available commands.
 
+## IMPORTANT
+
+npm is configured to use npm, Inc.'s public registry at
+https://registry.npmjs.org by default. Use of the npm public registry is
+subject to terms of use available at https://www.npmjs.com/policies/terms.
+
+You can configure npm to use any compatible registry you like, and even run
+your own registry. Use of someone else's registry may be governed by their
+terms of use.
+
 ## INTRODUCTION
 
 You probably got npm because you want to install stuff.

doc/misc/npm-config.md

@@ -692,7 +692,7 @@ impact how lifecycle scripts are called.
 
 The node version to use when checking a package's `engines` map.
 
-### no-proxy
+### noproxy
 
 * Default: null
 * Type: String or Array

doc/misc/npm-registry.md

@@ -7,12 +7,20 @@ To resolve packages by name and version, npm talks to a registry website
 that implements the CommonJS Package Registry specification for reading
 package info.
 
-Additionally, npm's package registry implementation supports several
+npm is configured to use npm, Inc.'s public registry at
+<https://registry.npmjs.org> by default. Use of the npm public registry is
+subject to terms of use available at <https://www.npmjs.com/policies/terms>.
+
+You can configure npm to use any compatible registry you like, and even run
+your own registry. Use of someone else's registry may be governed by their
+terms of use.
+
+npm's package registry implementation supports several
 write APIs as well, to allow for publishing packages and managing user
 account information.
 
-The official public npm registry is at <https://registry.npmjs.org/>.  It
-is powered by a CouchDB database, of which there is a public mirror at
+The npm public registry is powered by a CouchDB database,
+of which there is a public mirror at
 <https://skimdb.npmjs.com/registry>.  The code for the couchapp is
 available at <https://github.com/npm/npm-registry-couchapp>.
 

lib/config/cmd-list.js

@@ -17,7 +17,9 @@ var shorthands = {
   't': 'test',
   'ddp': 'dedupe',
   'v': 'view',
-  'run': 'run-script'
+  'run': 'run-script',
+  'clean-install': 'ci',
+  'clean-install-test': 'cit'
 }
 
 var affordances = {
@@ -27,6 +29,8 @@ var affordances = {
   'ic': 'ci',
   'innit': 'init',
   'isntall': 'install',
+  'install-clean': 'ci',
+  'isntall-clean': 'ci',
   'dist-tags': 'dist-tag',
   'apihelp': 'help',
   'find-dupes': 'dedupe',
@@ -46,13 +50,13 @@ var affordances = {
   'rm': 'uninstall',
   'r': 'uninstall',
   'rum': 'run-script',
-  'sit': 'cit',
-  'urn': 'run-script'
+  'sit': 'cit'
 }
 
 // these are filenames in .
 var cmdList = [
   'ci',
+  'install-ci-test',
   'install',
   'install-test',
   'uninstall',

lib/config/defaults.js

@@ -196,7 +196,7 @@ Object.defineProperty(exports, 'defaults', {get: function () {
     'progress': !process.env.TRAVIS && !process.env.CI,
     proxy: null,
     'https-proxy': null,
-    'no-proxy': null,
+    'noproxy': null,
     'user-agent': 'npm/{npm-version} ' +
                     'node/{node-version} ' +
                     '{platform} ' +
@@ -318,7 +318,7 @@ exports.types = {
   'metrics-registry': [null, String],
   'node-options': [null, String],
   'node-version': [null, semver],
-  'no-proxy': [null, String, Array],
+  'noproxy': [null, String, Array],
   offline: Boolean,
   'onload-script': [null, String],
   only: [null, 'dev', 'development', 'prod', 'production'],

lib/config/pacote.js

@@ -38,7 +38,7 @@ function pacoteOpts (moreOpts) {
     preferOnline: npm.config.get('prefer-online') || npm.config.get('cache-max') <= 0,
     projectScope: npm.projectScope,
     proxy: npm.config.get('https-proxy') || npm.config.get('proxy'),
-    noProxy: npm.config.get('no-proxy'),
+    noProxy: npm.config.get('noproxy'),
     refer: npm.registry.refer,
     registry: npm.config.get('registry'),
     retry: {

lib/help.js

@@ -170,10 +170,10 @@ function npmUsage (valid, cb) {
     npm.config.get('long') ? usages()
       : '    ' + wrap(commands),
     '',
-    'npm <command> -h     quick help on <command>',
-    'npm -l           display full usage info',
-    'npm help <term>  search for help on <term>',
-    'npm help npm     involved overview',
+    'npm <command> -h  quick help on <command>',
+    'npm -l            display full usage info',
+    'npm help <term>   search for help on <term>',
+    'npm help npm      involved overview',
     '',
     'Specify configs in the ini-formatted file:',
     '    ' + npm.config.get('userconfig'),

lib/install.js

@@ -766,6 +766,9 @@ Installer.prototype.printInstalled = function (cb) {
     if (!this.auditSubmission) return
     return Bluebird.resolve(this.auditSubmission).timeout(10000).catch(() => null)
   }).then((auditResult) => {
+    if (auditResult && !auditResult.metadata) {
+      log.warn('audit', 'Audit result from registry missing metadata. This is probably an issue with the registry.')
+    }
     // maybe write audit report w/ hash of pjson & shrinkwrap for later reading by `npm audit`
     if (npm.config.get('json')) {
       return this.printInstalledForJSON(diffs, auditResult)
@@ -834,7 +837,7 @@ Installer.prototype.printInstalledForHuman = function (diffs, auditResult) {
   if (removed) actions.push('removed ' + packages(removed))
   if (updated) actions.push('updated ' + packages(updated))
   if (moved) actions.push('moved ' + packages(moved))
-  if (auditResult && auditResult.metadata.totalDependencies) {
+  if (auditResult && auditResult.metadata && auditResult.metadata.totalDependencies) {
     actions.push('audited ' + packages(auditResult.metadata.totalDependencies))
   }
   if (actions.length === 0) {

lib/install/audit.js

@@ -87,7 +87,7 @@ function fetchAudit (href, body) {
   const opts = pacoteOpts()
   return registryFetch(href, {
     method: 'POST',
-    headers: { 'Content-Encoding': 'gzip', 'Content-Type': 'application/json' },
+    headers: { 'content-encoding': 'gzip', 'content-type': 'application/json' },
     config: npm.config,
     npmSession: opts.npmSession,
     projectScope: npm.projectScope,