|
| 1 | +### v2.7.6 (2015-04-02): |
| 2 | + |
| 3 | +#### GIT MEAN, GIT TUFF, GIT ALL THE WAY AWAY FROM MY STUFF |
| 4 | + |
| 5 | +Part of the reason that we're reluctant to take patches to how npm deals with |
| 6 | +git dependencies is that every time we touch the git support, something breaks. |
| 7 | +The last few releases are a case in point. `[email protected]` completely broke |
| 8 | +installing private modules from GitHub, and `[email protected]` fixed them at the cost |
| 9 | +of logging a misleading error message that caused many people to believe that |
| 10 | +their dependencies hadn't been successfully installed when they actually had |
| 11 | +been. |
| 12 | + |
| 13 | +This all started from a desire to ensure that GitHub shortcut syntax is being |
| 14 | +handled correctly. The correct behavior is for npm to try to clone all |
| 15 | +dependencies on GitHub (whether they're specified with the GitHub |
| 16 | +`organization/repository` shortcut syntax or not) via the plain `git:` protocol |
| 17 | +first, and to fall back to using `git+ssh:` if `git:` doesn't work. Previously, |
| 18 | +sometimes npm would use `git:` and `git+ssh:` in some cases (most notably when |
| 19 | +using GitHub shortcut syntax on the command line), and use `git+https:` in |
| 20 | +others (when the GitHub shortcut syntax was present in `package.json`). This |
| 21 | +led to subtle and hard-to-understand inconsistencies, and we're glad that as of |
| 22 | +`[email protected]`, we've finally gotten things to where they were before we started, |
| 23 | +only slightly more consistent overall. |
| 24 | + |
| 25 | +We are now going to go back to our policy of being extremely reluctant to touch |
| 26 | +the code that handles Git dependencies. |
| 27 | + |
| 28 | +* [`b747593`](https://github.com/npm/npm/commit/b7475936f473f029e6a027ba1b16277523747d0b) |
| 29 | + [#7630](https://github.com/npm/npm/issues/7630) Don't automatically log all |
| 30 | + git failures as errors. `maybeGithub` needs to be able to fail without |
| 31 | + logging to support its fallback logic. |
| 32 | + ([@othiym23](https://github.com/othiym23)) |
| 33 | +* [`cd67a0d`](https://github.com/npm/npm/commit/cd67a0db07891d20871822696c26692c8a84866a) |
| 34 | + [#7829](https://github.com/npm/npm/issues/7829) When fetching a git remote |
| 35 | + URL, handle failures gracefully (without assuming standard output exists). |
| 36 | + ([@othiym23](https://github.com/othiym23)) |
| 37 | +* [`637c7d1`](https://github.com/npm/npm/commit/637c7d1411fe07f409cf91f2e65fd70685cb253c) |
| 38 | + [#7829](https://github.com/npm/npm/issues/7829) When fetching a git remote |
| 39 | + URL, handle failures gracefully (without assuming standard _error_ exists). |
| 40 | + ([@othiym23](https://github.com/othiym23)) |
| 41 | + |
| 42 | +#### OTHER SIGNIFICANT FIXES |
| 43 | + |
| 44 | +* [`78005eb`](https://github.com/npm/npm/commit/78005ebb6f4103c20f077669c3929b7ea46a4c0d) |
| 45 | + [#7743](https://github.com/npm/npm/issues/7743) Always quote arguments passed |
| 46 | + to `npm run-script`. This allows build systems and the like to safely escape |
| 47 | + glob patterns passed as arguments to `run-scripts` with `npm run-script |
| 48 | + <script> -- <arguments>`. This is a tricky change to test, and may be |
| 49 | + reverted or moved to `npm@3` if it turns out it breaks things for users. |
| 50 | + ([@mantoni](https://github.com/mantoni)) |
| 51 | +* [`da015ee`](https://github.com/npm/npm/commit/da015eee45f6daf384598151d06a9b57ffce136e) |
| 52 | + [#7074](https://github.com/npm/npm/issues/7074) `read-package-json@1.3.3`: |
| 53 | + `read-package-json` no longer caches `package.json` files, which trades a |
| 54 | + very small performance loss for the elimination of a large class of really |
| 55 | + annoying race conditions. See [#7074](https://github.com/npm/npm/issues/7074) |
| 56 | + for the grisly details. ([@othiym23](https://github.com/othiym23)) |
| 57 | +* [`dd20f57`](https://github.com/npm/npm/commit/dd20f5755291b9433f0d298ee0eead22cda6db36) |
| 58 | + `init-package-json@1.3.2`: Only add the `@` to scoped package names if it's |
| 59 | + not already there when reading from the filesystem |
| 60 | + ([@watilde](https://github.com/watilde)), and support inline validation of |
| 61 | + package names ([@michaelnisi](https://github.com/michaelnisi)). |
| 62 | +
|
| 63 | +#### SMALL FIXES AND DEPENDENCY UPGRADES |
| 64 | +
|
| 65 | +* [`1f380f6`](https://github.com/npm/npm/commit/1f380f66c1e944b8ffbf096fa94d09e931626e12) |
| 66 | + [#7820](https://github.com/npm/npm/issues/7820) `are-we-there-yet@1.0.4`: Use |
| 67 | + `readable-stream` instead of built-in `stream` module to better support |
| 68 | + Node.js 0.8.x. ([@SonicHedgehog](https://github.com/SonicHedgehog)) |
| 69 | +* [`d380188`](https://github.com/npm/npm/commit/d380188e161be31f5a4f53947de6bc28df4732d8) |
| 70 | + `semver@4.3.3`: Don't throw on `semver.parse(null)`, and parse numeric |
| 71 | + version strings more robustly. ([@isaacs](https://github.com/isaacs)) |
| 72 | +* [`01d9964`](https://github.com/npm/npm/commit/01d99649265f921e1c61cf406613e7042bcea008) |
| 73 | + `nock@1.4.0`: This change may need to be rolled back, or rolled forward, |
| 74 | + because [nock depends on |
| 75 | + `setImmediate`](https://github.com/npm/npm/issues/7842), which causes tests |
| 76 | + to fail when run with Node.js 0.8. ([@othiym23](https://github.com/othiym23)) |
| 77 | +* [`91f5cb1`](https://github.com/npm/npm/commit/91f5cb1fb91520fbe25a4da5b80848ed540b9ad3) |
| 78 | + [#7791](https://github.com/npm/npm/issues/7791) Fix brackets in npmconf so |
| 79 | + that `loaded` is set correctly. |
| 80 | + ([@charmander](https://github.com/charmander)) |
| 81 | +* [`1349e27`](https://github.com/npm/npm/commit/1349e27c936a8b0fc9f6440a6d6404ef3b19c587) |
| 82 | + [#7818](https://github.com/npm/npm/issues/7818) Update `README.md` to point |
| 83 | + out that the install script now lives on https://www.npmjs.com. |
| 84 | + ([@weisjohn](https://github.com/weisjohn)) |
| 85 | +
|
1 | 86 | ### v2.7.5 (2015-03-26): |
2 | 87 |
|
| 88 | +#### SECURITY FIXES |
| 89 | +
|
| 90 | +* [`300834e`](https://github.com/npm/npm/commit/300834e91a4e2a95fb7fb59c309e7c3fc91d2312) |
| 91 | + `tar@2.0.0`: Normalize symbolic links that point to targets outside the |
| 92 | + extraction root. This prevents packages containing symbolic links from |
| 93 | + overwriting targets outside the expected paths for a package. Thanks to [Tim |
| 94 | + Cuthbertson](http://gfxmonk.net/) and the team at [Lift |
| 95 | + Security](https://liftsecurity.io/) for working with the npm team to identify |
| 96 | + this issue. ([@othiym23](https://github.com/othiym23)) |
| 97 | +* [`0dc6875`](https://github.com/npm/npm/commit/0dc68757cffd5397c280bc71365d106523a5a052) |
| 98 | + `semver@4.3.2`: Package versions can be no more than 256 characters long. |
| 99 | + This prevents a situation in which parsing the version number can use |
| 100 | + exponentially more time and memory to parse, leading to a potential denial of |
| 101 | + service. Thanks to Adam Baldwin at Lift Security for bringing this to our |
| 102 | + attention. ([@isaacs](https://github.com/isaacs)) |
| 103 | +
|
3 | 104 | #### BUG FIXES |
4 | 105 |
|
5 | 106 | * [`5811468`](https://github.com/npm/npm/commit/5811468e104ccb6b26b8715dff390d68daa10066) |
6 | 107 | [#7713](https://github.com/npm/npm/issues/7713) Add a test for `npm link` and |
7 | | - `npm link <package>`. ([@w](https://github.com/w)atilde) |
| 108 | + `npm link <package>`. ([@watilde](https://github.com/watilde)) |
8 | 109 | * [`3cf3b0c`](https://github.com/npm/npm/commit/3cf3b0c8fddb6b66f969969feebea85fabd0360b) |
9 | 110 | [#7713](https://github.com/npm/npm/issues/7713) Only use absolute symbolic |
10 | 111 | links when `npm link`ing. ([@hokaccha](https://github.com/hokaccha)) |
|
25 | 126 |
|
26 | 127 | #### DEPENDENCY UPDATES |
27 | 128 |
|
28 | | -* [`300834e`](https://github.com/npm/npm/commit/300834e91a4e2a95fb7fb59c309e7c3fc91d2312) |
29 | | - `[email protected]`: Normalize symbolic links that point to targets outside the |
30 | | - extraction root. ([@othiym23](https://github.com/othiym23)) |
31 | | -* [`0dc6875`](https://github.com/npm/npm/commit/0dc68757cffd5397c280bc71365d106523a5a052) |
32 | | - `[email protected]`: Package versions can be no more than 256 characters long. |
33 | | - ([@isaacs](https://github.com/isaacs)) |
34 | 129 | * [`94df809`](https://github.com/npm/npm/commit/94df8095985bf5ba9d8db99dc445d05dac136aaf) |
35 | 130 | `request@2.54.0`: Fixes for Node.js 0.12 and io.js. |
36 | 131 | ([@simov](https://github.com/simov)) |
|
0 commit comments