WE WILL NEVER BE DONE FIXING NPM'S GIT SUPPORT

If you look atthe last release's release notes, you will note that they confidently assert that it's perfectly OK to force all GitHub URLs through the samegit: ->git+ssh: fallback flow for cloning. It turns out that many users depend ongit+https: URLs in their build environments because they use GitHub auth tokens instead of SSH keys. Also, in some cases you just want to be able to explicitly say how a given dependency should be cloned from GitHub.

Because of the way we resolved the inconsistency in GitHub shorthand handlingbefore, this turned out to be difficult to work around. So instead of hacking around it, we completely redid how git is handled within npm and its attendant packages. Again. This time, we changed things so thatnormalize-package-data andread-package-json leave more of the git logic to npm itself, which makes handling shorthand syntax consistently much easier, and also allows users to resume using explicit, fully-qualified git URLs without npm messing with them.

Here's a summary of what's changed:

• Instead of converting the GitHub shorthand syntax to agit+ssh:,git:, or
  git+https: URL and saving that, save the shorthand itself to
  package.json.
• If presented with shortcuts, try cloning via the git protocol, SSH, and HTTPS
  (in that order).
• No longer prompt for credentials -- it didn't work right with the spinner,
  and wasn't guaranteed to work anyway. We may experiment with doing this a
  better way in the future. Users can override this by settingGIT_ASKPASS in
  their environment if they want to experiment with interactive cloning, but
  should also set--no-spin on the npm command line (or runnpm config set spin=false).
• EXPERIMENTAL FEATURE: Add support forgithub:,gist:,bitbucket:,
  andgitlab: shorthand prefixes. GitHub shortcuts will continue to be
  normalized toorg/repo instead of being saved asgithub:org/repo, but
  gitlab:,gist:, andbitbucket: prefixes will be used on the command
  line and frompackage.json. BE CAREFUL WITH THIS.package.json files
  published with the new shorthand syntax canonly be read bynpm@2.8.0 and
  later, and this feature is mostly meant for playing around with it. If you
  want to save git dependencies in a form that older versions of npm can read,
  use--save-exact, which will save the git URL and resolved commit hash of
  the head of the branch in a manner simiilar to the way that--save-exact
  pins versions for registry dependencies. This is documented (so checknpm help install for details), but we're not going to make a lot of noise about
  it until it has a chance to bake in a little more.

It is@othiym23's sincere hope that this will resolve all of the inconsistencies users were seeing with GitHub and git-hosted packages, but given the level of change here, that may just be a fond wish. Extra testing of this release is requested.

• 6b0f588
  #7867 Use git shorthand and git
  URLs as presented by user. Support newhosted-git-info shortcut syntax.
  Save shorthand inpackage.json. Try cloning viagit:,git+ssh:, and
  git+https:, in that order, when supported by the underlying hosting
  provider. (@othiym23)
• 75d4267
  #7867 Document new GitHub, GitHub
  gist, Bitbucket, and GitLab shorthand syntax.
  (@othiym23)
• 7d92c75
  #7867 When--save-exact is used
  with git shorthand or URLs, save the fully-resolved URL, with branch name
  resolved to the exact hash for the commit checked out.
  (@othiym23)
• 9220e59
  #7867 Ensure that non-prefixed and
  non-normalized GitHub shortcuts are saved topackage.json.
  (@othiym23)
• dd398e9
  #7867hosted-git-info@2.1.1:
  Ensure thatgist: shorthand survives being round-tripped through
  package.json. (@othiym23)
• 33d1420
  #7867hosted-git-info@2.1.0: Add
  support for auth embedded directly in git URLs.
  (@othiym23)
• 23a1d5a
  #7867hosted-git-info@2.0.2: Make
  it possible to determine in which form a hosted git URL was passed.
  (@iarna)
• eaf75ac
  #7867
  normalize-package-data@2.0.0: Normalize GitHub specifiers so they pass
  through shortcut syntax and preserve explicit URLs.
  (@iarna)
• 95e0535
  #7867npm-package-arg@4.0.0: Add
  git URL and shortcut to hosted git spec and usehosted-git-info@2.0.2.
  (@iarna)
• a808926
  #7867
  realize-package-specifier@3.0.0: Usenpm-package-arg@4.0.0 and test
  shortcut specifier behavior. (@iarna)
• 6dd1e03
  #7867init-package-json@1.4.0:
  Allow dependency onread-package-json@2.0.0.
  (@iarna)
• 63254bb
  #7867read-installed@4.0.0: Use
  read-package-json@2.0.0. (@iarna)
• 254b887
  #7867read-package-json@2.0.0:
  Usenormalize-package-data@2.0.0. (@iarna)
• 0b9f8be
  #7867npm-registry-client@6.3.0:
  Mark compatibility withnormalize-package-data@2.0.0 and
  npm-package-arg@4.0.0. (@iarna)
• f40ecaa
  #7867 Extract a common method to
  use when cloning git repos for testing.
  (@othiym23)

TEST FIXES FOR NODE 0.8

npm continues toget closer to being completely green on Travis for Node 0.8.

• 26d36e9
  #7842 When spawning child
  processes, map exit code 127 to ENOENT so Node 0.8 handles child process
  failures the same as later versions.
  (@SonicHedgehog)
• 54cd895
  #7842 Node 0.8 requires -e with -p
  when evaluating snippets; fix test.
  (@SonicHedgehog)

SMALL FIX AND DOC TWEAK

• 20e9003
tar@2.0.1: Fix regression where relative symbolic links within an
  extraction root that pointed within an extraction root would get normalized
  to absolute symbolic links. (@isaacs)
• 2ef8898
  #7879 Better document thatnpm publish --tag=foo will not setlatest to that version.
  (@linclark)