NOTE: This PR is a WIP. npm@5 beta is currently underway. See#16510 for deets.

Wowowowowow npm@5!

This release marks months of hard work for the young, scrappy, and hungry CLI team, and includes some changes we've been hoping to do for literally years. npm@5 takes npm a pretty big step forward, significantly improving its performance in almost all common situations, fixing a bunch of old errors due to the architecture, and just generally making it more robust and fault-tolerant. It comes with changes to make life easier for people doing monorepos, for users who want consistency/security guarantees, and brings semver support to git dependencies. See below for all the deets!

Breaking Changes

• One binary to rule them all:./cli.js has been removed in favor of./bin/npm-cli.js. In case you were doing something with./cli.js itself. (Replace cli.js with bin/npm-cli.js and remove cli.js #12096)

• Stub file removed (utils: removelib/utils/rename.js #16204)

• Existing npm caches will no longer be used: you will have to redownload any cached packages. There is no tool or intention to reuse old caches. (Replace metadata + fetch + cache code #15666)

• npm install ./packages/subdir will now create a symlink instead of a regular installation.file://path/to/tarball.tgz will not change -- only directories are symlinked. (RFC: file: specifier changes #15900)

• npm will now scold you if you capitalize its name. seriously it will fight you.

• The "extremely legacy"_token couchToken has been removed. (Remove_token support altogether` #12986)

• npm will--save by default now. Additionally,package-lock.json will be automatically created unless annpm-shrinkwrap.json exists. (Replace metadata + fetch + cache code #15666)

• git dependencies support semver (Resolve git dependencies with semver ranges #15308,Replace metadata + fetch + cache code #15666)

• git dependencies withprepare scripts will have theirdevDependencies installed, andnpm install run in their directory before being packed.

• npm cache commands have been rewritten and don't really work anything like they did before. (Replace metadata + fetch + cache code #15666)

• --cache-min and--cache-max have been deprecated. (Replace metadata + fetch + cache code #15666)

• running npm while offline will no longer insist on retrying network requests (Replace metadata + fetch + cache code #15666)

• The contents of~/.npm have completely changed.

• A new loglevel,notice, has been added and set as default.

• package locks no longer excludeoptionalDependencies that failed to build. This means package-lock.json and npm-shrinkwrap.json should now be cross-platform. (RFC: file: specifier changes #15900)

• shrinkwrap and package-lock no longer excludedevDependencies. You can still prevent their installation with--prod/--only=prod. (RFC: file: specifier changes #15900)

• If you generated your package lock against registry A, and you switch to registry B, npm will now try toinstall the packages from registry B, instead of A. If you want to use different registries for different packages, use scope-specific registries (npm config set @myscope:registry=https://myownregist.ry/packages/). Different registries for different unscoped packages are not supported anymore.

• shrinkwrap and package-lock no longer warn and exit without saving the lockfile

• Local tarballs can now only be installed if they have a file extensions.tar,.tar.gz, or.tgz.

Feature Summary

There's a bunch of exciting stuff going in here! You can track all the changes planned fornpm@5 onits project tracker.

Installer changes

• A new, standardised lockfile feature meant for cross-package-manager compatibility (package-lock.json), and a new format and semantics for shrinkwrap. (spec: Describe npm-shrinkwrap.json and package-lock.json #16441)

• --save is no longer necessary. All installs will be saved by default. You can prevent saving with--no-save. Installing optional and dev deps is unchanged: use-D/--save-dev and-O/--save-optional if you want them saved into those fields instead. Note that since npm@3, npm will automatically update npm-shrinkwrap.json when you save: this will also be true forpackage-lock.json. (Replace metadata + fetch + cache code #15666)

• Installing a package directory now ends up creating a symlink and does the Right Thing™ as far as saving to and installing fromnpm-shrinkwrap.json goes. If you have a monorepo, this should make things much easier to work with, and probably a lot faster too. 😁 (RFC: file: specifier changes #15900)

• git dependencies now support semver-based matching:npm install git://github.com/npm/npm#semver:^5 (Resolve git dependencies with semver ranges #15308,Replace metadata + fetch + cache code #15666)

• git dependencies withprepare scripts will nowhave their devDependencies installed, and their prepare script executed as if undernpm pack.

• node-gyp now supportsnode-gyp.cmd on Windows (Changenpm_config_node_gyp to use shell script on Windows #14568)

• npm no longer blasts your screen with the whole installed tree. Instead, you'll see a summary report of the install that is much kinder on your shell real-estate. Specially for large projects. (Replace post install module list with summary report #15914):

$ npm installnpm added 125, removed 32, updated 148 and moved 5 packages in 5.032s.$

• --parseable and--json now work more consistently across various commands, particularlyinstall andls.

• Indentation is nowdetected and preserved forpackage.json,package-lock.json, andnpm-shrinkwrap.json. If the package lock is missing, it will default topackage.json's current indentation.

Publishing

• Newpublishes will now includebothsha512 andsha1 checksums. Versions of npm from 5 onwards will use the strongest algorithm available to verify downloads. (feat(integrity): add integrity field to publish npm-registry-client#157)

Cache Rewrite!

We've been talking about rewriting the cache for a loooong time. So here it is. Lots of exciting stuff ahead. The rewrite will also enable some exciting future features, but we'll talk about those when they're actually in the works.#15666 is the main PR for all these changes. Additional PRs/commits are linked inline.

• package metadata, package download, and caching infrastructure replaced

• It's a bit faster.Hopefully it will be noticeable. 🤔

• With the shrinkwrap and package-lock changes, tarballs will be looked up in the cache by content address (and verified with it)

• Corrupted cache entries willautomatically be removed and re-fetched on integrity check failure.

• npm CLI now supports tarball hashes with any hash function supported by Node.js. That is, it willusesha512 for tarballs from registries that send asha512 checksum as the tarball hash. Publishing withsha512 is added byfeat(integrity): add integrity field to publish npm-registry-client#157 and may be backfilled by the registry for older entries.

• remote tarball requests are now properly cached. This means that even if you're missing theintegrity field in yournpm-shrinkwrap.json, npm will be able to install from the cache.

• Downloads for large packages are streamed in and out of disk. npm is now able to install packages of """any""" size without running out of memory. Support for publishing them is pending (due to registry limitations).

• Automatic fallback-to-offline mode. npm will seamlessly use your cache if you are offline, or if you lose access to a particular registry (for example, if you can no longer access a private npm repo, or if your git host is unavailable).

• A new--prefer-offline option will make npm skip any conditional requests (304 checks) for stale cache data, andonly hit the network if something is missing from the cache.

• A new--prefer-online option that will force npm to revalidate cached data (with 304 checks), ignoring any staleness checks, and refreshing the cache with revalidated, fresh data.

• A new--offline option will force npm to use the cache or exit. It will error with anENOTCACHED code if anything it tries to install isn't already in the cache.

• A newnpm cache verify command that will garbage collect your cache, reducing disk usage for things you don't need (-handwave-), and will do full integrity verification on both the index and the content. This will also be hooked intonpm doctor as part of its larger suite of checking tools.

• The new cache isvery fault tolerant and supports concurrent access.

  • Multiple npm processes will not corrupt a shared cache.
  • Corrupted data will not be installed. Data is checked on both insertion and extraction, and treated as if it were missing if found to be corrupted. I will literally bake you a cookie if you manage to corrupt the cache in such a way that you end up with the wrong data in your installation (installer bugs notwithstanding).
  • npm cache clear is no longer useful for anything except clearing up disk space.

• Package metadata is cached separately per registry and package type: you can't have package name conflicts between locally-installed packages, private repo packages, and public repo packages. Identical tarball data will still be shared/deduplicated as long as their hashes match.

• HTTP cache-related headers and features are "fully" (lol) supported for both metadata and tarball requests -- if you have your own registry, you can define your own cache settings the CLI will obey!

• prepublishOnly now runsbefore the tarball to publish is created, afterprepare has run.

• ...and more!

For release task list

• First downstreaming to Node.js 8 (for 5/9)
• Update docs for new/changes features
  • prepare on git dependency installation
  • package-lock.json vsshrinkwrap
  • Auto-save
  • sha512 on new publishes
• Land file specifier branch (including idempotent package-lock and many other fixes)
  • Last work on file specifier branch (complete spec tests)
  • details! links to links,
  • details! removing links
• Improve behavior for shrinkwrap/package-lock
  • warn if both files are there, preferring shrinkwrap
  • Add new fields from spec:created-with,shrinkwrap-version,package-integrity,
  • full new install semantics around dependency fields, based on shrinkwrap version
  • warn if the shrinkwrap is an incompatible version
    • for npm@5
  • update link spec doc to match shrinkwrap
  • Stop generating shrinkwrap/lockfiles off the filesystem -- calculate the tree w/ the installer
• Makenpm update save files as right type: devDeps end up getting saved as deps
• Leave uninstallable optionalsin the tree in such a way that they don't get installed bydiff-trees but they do end up in the lock.
• Ensurenpm install --production doesn't remove dev deps from the lock.
• Addnotice andtiming log levels directly to npmlog
• Land patch about runningprepare when installing git dependencies.
• Fix cross-protocol redirects:can't fetch url which will redirect to another url with different protocol zkat/make-fetch-happen#26