Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deps: upgrade npm to 3.8.6 #6153

Closed
wants to merge 2 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions deps/npm/AUTHORS
Original file line number Diff line number Diff line change
Expand Up @@ -382,3 +382,10 @@ Zac <[email protected]>
GriffinSchneider <[email protected]>
Andres Kalle <[email protected]>
thefourtheye <[email protected]>
Yael <[email protected]>
Yann Odeyer <[email protected]>
James Monger <[email protected]>
Thomas Hallock <[email protected]>
Paul Irish <[email protected]>
Paul O'Leary McCann <[email protected]>
Francis Gulotta <[email protected]>
204 changes: 203 additions & 1 deletion deps/npm/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,210 @@
### v3.8.6 (2016-03-31)

Heeeeeey y'all.

Kat here! Rebecca's been schmoozing with folks at [Microsoft
Build](https://build.microsoft.com/), so I'm doing the `npm@3` release this
week.

Speaking of Build, it looks like Microsoft is doing some bash thing. This might
be really good news for our Windows users once it rolls around. We're keeping an
eye out and feeling hopeful. 🙆

As far as the release goes: We're really happy to be getting more and more
community contributions! Keep it up! We really appreciate folks trying to help
us, and we'll do our best to help point you in the right direction. Even things
like documentation are a huge help. And remember -- you get socks for it, too!

#### FIXES

* [`f8fb4d8`](https://github.com/npm/npm/commit/f8fb4d83923810eb78d075bd200a9376c64c3e3a)
[#12079](https://github.com/npm/npm/pull/12079)
Back in `[email protected]` we included [a patch that made it so `npm install pkg` was
basically `npm install pkg@latest` instead of
`pkg@*`](https://github.com/npm/npm/pull/9170)
This is probably what most users expected, but it also ended up [breaking `npm
deprecate`](https://github.com/npm/npm/pull/9170) when no version was provided
for a package. In that case, we were using `*` to mean "deprecate all
versions" and relying on the `pkg` -> `pkg@*` conversion.
This patch fixes `npm deprecate pkg` to work as it used to by special casing
that particular command's behavior.
([@polm](https://github.com/polm))
* [`458f773`](https://github.com/npm/npm/commit/458f7734f3376aba0b6ff16d34a25892f7717e40)
[#12146](https://github.com/npm/npm/pull/12146)
Adds `make doc-clean` to `prepublish` script, to clear out previously built
docs before publishing a new npm version
([@watilde](https://github.com/watilde))
* [`f0d1521`](https://github.com/npm/npm/commit/f0d1521038e956b2197673f36c464684293ce99d)
[#12146](https://github.com/npm/npm/pull/12146)
Adds `doc-clean` phony target to `make publish`.
([@watilde](https://github.com/watilde))

#### DOC UPDATES

* [`ea92ffc`](https://github.com/npm/npm/commit/ea92ffc9dd2a063896353fc52c104e85ec061360)
[#12147](https://github.com/npm/npm/pull/12147)
Document that the current behavior of `engines` is just to warn if the node
platform is incompatible.
([@reconbot](https://github.com/reconbot))
* [`cd1ba44`](https://github.com/npm/npm/commit/cd1ba4423b3ca889c741141b95b0d9472b9f71ea)
[#12143](https://github.com/npm/npm/pull/12143)
Remove `npm faq` command, since the [FAQ was
removed](https://github.com/npm/npm/pull/10547).
([@watilde](https://github.com/watilde))
* [`50a12cb`](https://github.com/npm/npm/commit/50a12cb1f5f158af78d6962ad20ff0a98bc18f18)
[#12143](https://github.com/npm/npm/pull/12143)
Remove references to the FAQ from the docs, since [it was
removed](https://github.com/npm/npm/pull/10547).
([@watilde](https://github.com/watilde))
* [`60051c2`](https://github.com/npm/npm/commit/60051c25e2ab80c667137dfcd04b242eea25980e)
[#12093](https://github.com/npm/npm/pull/12093)
Update `bugs` url in `package.json` to use the `https` URL for Github.
([@watilde](https://github.com/watilde))
* [`af30c37`](https://github.com/npm/npm/commit/af30c374ef22ed1a1c71b14fced7c4b8350e4e82)
[#12075](https://github.com/npm/npm/pull/12075)
Add the `--ignore-scripts` flag to the `npm install` docs.
([@paulirish](https://github.com/paulirish))
* [`632b214`](https://github.com/npm/npm/commit/632b214b2f2450e844410792e5947e46844612ff)
[#12063](https://github.com/npm/npm/pull/12063)
Various minor fixes to the html docs homepage.
([@watilde](https://github.com/watilde))

#### DEP BUMPS

* [`3da0171`](https://github.com/npm/npm/commit/3da01716a0e41d6b5adee2b4fc70fcaf08c0eb24)
`[email protected]`
([@jdalton](https://github.com/jdalton))
* [`69ccf6d`](https://github.com/npm/npm/commit/69ccf6dd4caf95cd0628054307487cae1885acd0)
`[email protected]`
([@jdalton](https://github.com/jdalton))
* [`b50c41a`](https://github.com/npm/npm/commit/b50c41a9930dc5353a23c5ae2ff87bb99e11d482)
`[email protected]`
([@jdalton](https://github.com/jdalton))
* [`59c1ad7`](https://github.com/npm/npm/commit/59c1ad7b6f243d07618ed5703bd11d787732fc57)
`[email protected]`
([@jdalton](https://github.com/jdalton))
* [`2b4f797`](https://github.com/npm/npm/commit/2b4f797dba8e7a1376c8335b7223e82d02cd8243)
`[email protected]`
([@jdalton](https://github.com/jdalton))

### v3.8.5 (2016-03-24)

Like my esteemed colleague [@zkat](https://github.com/zkat) said in this
week's [LTS release notes](https://github.com/npm/npm/releases/tag/v2.15.2),
this week is another small release but we are continuing to work on our
[Windows efforts](https://github.com/npm/npm/pull/11444).

You may also be interested in reading the [LTS process and
policy](https://github.com/npm/npm/wiki/LTS) that
[@othiym23](https://github.com/othiym23) put together recently. If you have any
feedback, we would love to hear.

#### DOCTOR IT HURTS WHEN LINK TO MY LINK

Well then, don't do that.

* [`0d4a0b1`](https://github.com/npm/npm/commit/0d4a0b1)
[#11442](https://github.com/npm/npm/pull/11442)
Fail if the user asks us to make a link from a module back on to itself.
([@antialias](https://github.com/antialias))

#### ERR MODULE LIST TOO LONG

* [`b271ed2`](https://github.com/npm/npm/commit/b271ed2)
[#11983](https://github.com/npm/npm/issues/11983)
Exit early if no arguments were provided to search instead of trying to display all the modules,
running out of memory, and then crashing.
([@SimenB](https://github.com/SimenB))

#### ELIMINATE UNUSED MODULE

* [`b8c7cd7`](https://github.com/npm/npm/commit/b8c7cd7)
[#12000](https://github.com/npm/npm/pull/12000)
Stop depending on [`async-some`](https://npmjs.com/package/async-some) as it's no
longer used in npm.
([@watilde](https://github.com/watilde))

#### DOCUMENTATION IMPROVEMENTS

* [`fdd6b28`](https://github.com/npm/npm/commit/fdd6b28)
[#11884](https://github.com/npm/npm/pull/11884)
Include `node_modules` in the list of files and directories that npm won't
include in packages ordinarily. (Modules listed in `bundledDependencies` and things
that those modules rely on, ARE included of course.)
([@Jameskmonger](https://github.com/Jameskmonger))
* [`aac15eb`](https://github.com/npm/npm/commit/aac15eb)
[#12006](https://github.com/npm/npm/pull/12006)
Fix typo in npm-orgs documentation, where teams docs went to access docs and vice versa.
([@yaelz](https://github.com/yaelz))

#### FEWER NETWORK TESTS

* [`3e41360`](https://github.com/npm/npm/commit/3e41360)
[#11987](https://github.com/npm/npm/pull/11987)
Fix test that was inappropriately hitting the network
([@yodeyer](https://github.com/yodeyer))

### v3.8.4 (2016-03-24)

Was erroneously released with just a changelog typo correction and was
otherwise the same as 3.8.3.

### v3.8.3 (2016-03-17):

#### SECURITY ADVISORY: BEARER TOKEN DISCLOSURE

This release includes [the fix for a
vulnerability](https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29)
that could cause the unintentional leakage of bearer tokens.

Here are details on this vulnerability and how it affects you.

##### DETAILS

Since 2014, npm’s registry has used HTTP bearer tokens to authenticate requests
from the npm’s command-line interface. A design flaw meant that the CLI was
sending these bearer tokens with _every_ request made by logged-in users,
regardless of the destination of their request. (The bearers only should have
been included for requests made against a registry or registries used for the
current install.)

An attacker could exploit this flaw by setting up an HTTP server that could
collect authentication information, then use this authentication information to
impersonate the users whose tokens they collected. This impersonation would
allow them to do anything the compromised users could do, including publishing
new versions of packages.

With the fixes we’ve released, the CLI will only send bearer tokens with
requests made against a registry.

##### THINK YOU'RE AT RISK? REGENERATE YOUR TOKENS

If you believe that your bearer token may have been leaked, [invalidate your
current npm bearer tokens](https://www.npmjs.com/settings/tokens) and rerun
`npm login` to generate new tokens. Keep in mind that this may cause continuous
integration builds in services like Travis to break, in which case you’ll need
to update the tokens in your CI server’s configuration.

##### WILL THIS BREAK MY CURRENT SETUP?

Maybe.

npm’s CLI team believes that the fix won’t break any existing registry setups.
Due to the large number of registry software suites out in the wild, though,
it’s possible our change will be breaking in some cases.

If so, please [file an issue](https://github.com/npm/npm/issues/new) describing
the software you’re using and how it broke. Our team will work with you to
mitigate the breakage.

##### CREDIT & THANKS

Thanks to Mitar, Will White & the team at Mapbox, Max Motovilov, and James
Taylor for reporting this vulnerability to npm.

#### PERFORMANCE IMPROVEMENTS

The updated [`are-we-there-yet`](https://npm.com/package/are-we-there-yet)
The updated [`are-we-there-yet`](https://npmjs.com/package/are-we-there-yet)
changes how it tracks how complete things are to be much more efficient.
The summary is that `are-we-there-yet` was refactored to remove an expensive
tree walk.
Expand Down
2 changes: 1 addition & 1 deletion deps/npm/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -166,7 +166,7 @@ ls-ok:
gitclean:
git clean -fd

publish: gitclean ls-ok link doc
publish: gitclean ls-ok link doc-clean doc
@git push origin :v$(shell npm -v) 2>&1 || true
git push origin $(BRANCH) &&\
git push origin --tags &&\
Expand Down
2 changes: 0 additions & 2 deletions deps/npm/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,6 @@ you have chosen.
## More Docs

Check out the [docs](https://docs.npmjs.com/),
especially the [faq](https://docs.npmjs.com/misc/faq).

You can use the `npm help` command to read any of them.

Expand All @@ -164,6 +163,5 @@ will no doubt tell you to put the output in a gist or email.
## SEE ALSO

* npm(1)
* npm-faq(7)
* npm-help(1)
* npm-index(7)
Loading