|
| 1 | +### v3.8.6 (2016-03-31) |
| 2 | + |
| 3 | +Heeeeeey y'all. |
| 4 | + |
| 5 | +Kat here! Rebecca's been schmoozing with folks at [Microsoft |
| 6 | +Build](https://build.microsoft.com/), so I'm doing the `npm@3` release this |
| 7 | +week. |
| 8 | + |
| 9 | +Speaking of Build, it looks like Microsoft is doing some bash thing. This might |
| 10 | +be really good news for our Windows users once it rolls around. We're keeping an |
| 11 | +eye out and feeling hopeful. 🙆 |
| 12 | + |
| 13 | +As far as the release goes: We're really happy to be getting more and more |
| 14 | +community contributions! Keep it up! We really appreciate folks trying to help |
| 15 | +us, and we'll do our best to help point you in the right direction. Even things |
| 16 | +like documentation are a huge help. And remember -- you get socks for it, too! |
| 17 | + |
| 18 | +#### FIXES |
| 19 | + |
| 20 | +* [`f8fb4d8`](https://github.com/npm/npm/commit/f8fb4d83923810eb78d075bd200a9376c64c3e3a) |
| 21 | + [#12079](https://github.com/npm/npm/pull/12079) |
| 22 | + Back in `npm@3.2.2` we included [a patch that made it so `npm install pkg` was |
| 23 | + basically `npm install pkg@latest` instead of |
| 24 | + `pkg@*`](https://github.com/npm/npm/pull/9170) |
| 25 | + This is probably what most users expected, but it also ended up [breaking `npm |
| 26 | + deprecate`](https://github.com/npm/npm/pull/9170) when no version was provided |
| 27 | + for a package. In that case, we were using `*` to mean "deprecate all |
| 28 | + versions" and relying on the `pkg` -> `pkg@*` conversion. |
| 29 | + This patch fixes `npm deprecate pkg` to work as it used to by special casing |
| 30 | + that particular command's behavior. |
| 31 | + ([@polm](https://github.com/polm)) |
| 32 | +* [`458f773`](https://github.com/npm/npm/commit/458f7734f3376aba0b6ff16d34a25892f7717e40) |
| 33 | + [#12146](https://github.com/npm/npm/pull/12146) |
| 34 | + Adds `make doc-clean` to `prepublish` script, to clear out previously built |
| 35 | + docs before publishing a new npm version |
| 36 | + ([@watilde](https://github.com/watilde)) |
| 37 | +* [`f0d1521`](https://github.com/npm/npm/commit/f0d1521038e956b2197673f36c464684293ce99d) |
| 38 | + [#12146](https://github.com/npm/npm/pull/12146) |
| 39 | + Adds `doc-clean` phony target to `make publish`. |
| 40 | + ([@watilde](https://github.com/watilde)) |
| 41 | + |
| 42 | +#### DOC UPDATES |
| 43 | + |
| 44 | +* [`ea92ffc`](https://github.com/npm/npm/commit/ea92ffc9dd2a063896353fc52c104e85ec061360) |
| 45 | + [#12147](https://github.com/npm/npm/pull/12147) |
| 46 | + Document that the current behavior of `engines` is just to warn if the node |
| 47 | + platform is incompatible. |
| 48 | + ([@reconbot](https://github.com/reconbot)) |
| 49 | +* [`cd1ba44`](https://github.com/npm/npm/commit/cd1ba4423b3ca889c741141b95b0d9472b9f71ea) |
| 50 | + [#12143](https://github.com/npm/npm/pull/12143) |
| 51 | + Remove `npm faq` command, since the [FAQ was |
| 52 | + removed](https://github.com/npm/npm/pull/10547). |
| 53 | + ([@watilde](https://github.com/watilde)) |
| 54 | +* [`50a12cb`](https://github.com/npm/npm/commit/50a12cb1f5f158af78d6962ad20ff0a98bc18f18) |
| 55 | + [#12143](https://github.com/npm/npm/pull/12143) |
| 56 | + Remove references to the FAQ from the docs, since [it was |
| 57 | + removed](https://github.com/npm/npm/pull/10547). |
| 58 | + ([@watilde](https://github.com/watilde)) |
| 59 | +* [`60051c2`](https://github.com/npm/npm/commit/60051c25e2ab80c667137dfcd04b242eea25980e) |
| 60 | + [#12093](https://github.com/npm/npm/pull/12093) |
| 61 | + Update `bugs` url in `package.json` to use the `https` URL for Github. |
| 62 | + ([@watilde](https://github.com/watilde)) |
| 63 | +* [`af30c37`](https://github.com/npm/npm/commit/af30c374ef22ed1a1c71b14fced7c4b8350e4e82) |
| 64 | + [#12075](https://github.com/npm/npm/pull/12075) |
| 65 | + Add the `--ignore-scripts` flag to the `npm install` docs. |
| 66 | + ([@paulirish](https://github.com/paulirish)) |
| 67 | +* [`632b214`](https://github.com/npm/npm/commit/632b214b2f2450e844410792e5947e46844612ff) |
| 68 | + [#12063](https://github.com/npm/npm/pull/12063) |
| 69 | + Various minor fixes to the html docs homepage. |
| 70 | + ([@watilde](https://github.com/watilde)) |
| 71 | + |
| 72 | +#### DEP BUMPS |
| 73 | + |
| 74 | +* [`3da0171`](https://github.com/npm/npm/commit/3da01716a0e41d6b5adee2b4fc70fcaf08c0eb24) |
| 75 | + `lodash.without@4.1.2` |
| 76 | + ([@jdalton](https://github.com/jdalton)) |
| 77 | +* [`69ccf6d`](https://github.com/npm/npm/commit/69ccf6dd4caf95cd0628054307487cae1885acd0) |
| 78 | + `lodash.uniq@4.2.1` |
| 79 | + ([@jdalton](https://github.com/jdalton)) |
| 80 | +* [`b50c41a`](https://github.com/npm/npm/commit/b50c41a9930dc5353a23c5ae2ff87bb99e11d482) |
| 81 | + `lodash.union@4.2.1` |
| 82 | + ([@jdalton](https://github.com/jdalton)) |
| 83 | +* [`59c1ad7`](https://github.com/npm/npm/commit/59c1ad7b6f243d07618ed5703bd11d787732fc57) |
| 84 | + `lodash.clonedeep@4.3.2` |
| 85 | + ([@jdalton](https://github.com/jdalton)) |
| 86 | +* [`2b4f797`](https://github.com/npm/npm/commit/2b4f797dba8e7a1376c8335b7223e82d02cd8243) |
| 87 | + `lodash._baseuniq@4.5.1` |
| 88 | + ([@jdalton](https://github.com/jdalton)) |
| 89 | + |
| 90 | +### v3.8.5 (2016-03-24) |
| 91 | + |
| 92 | +Like my esteemed colleague [@zkat](https://github.com/zkat) said in this |
| 93 | +week's [LTS release notes](https://github.com/npm/npm/releases/tag/v2.15.2), |
| 94 | +this week is another small release but we are continuing to work on our |
| 95 | +[Windows efforts](https://github.com/npm/npm/pull/11444). |
| 96 | + |
| 97 | +You may also be interested in reading the [LTS process and |
| 98 | +policy](https://github.com/npm/npm/wiki/LTS) that |
| 99 | +[@othiym23](https://github.com/othiym23) put together recently. If you have any |
| 100 | +feedback, we would love to hear. |
| 101 | + |
| 102 | +#### DOCTOR IT HURTS WHEN LINK TO MY LINK |
| 103 | + |
| 104 | +Well then, don't do that. |
| 105 | + |
| 106 | +* [`0d4a0b1`](https://github.com/npm/npm/commit/0d4a0b1) |
| 107 | + [#11442](https://github.com/npm/npm/pull/11442) |
| 108 | + Fail if the user asks us to make a link from a module back on to itself. |
| 109 | + ([@antialias](https://github.com/antialias)) |
| 110 | + |
| 111 | +#### ERR MODULE LIST TOO LONG |
| 112 | + |
| 113 | +* [`b271ed2`](https://github.com/npm/npm/commit/b271ed2) |
| 114 | + [#11983](https://github.com/npm/npm/issues/11983) |
| 115 | + Exit early if no arguments were provided to search instead of trying to display all the modules, |
| 116 | + running out of memory, and then crashing. |
| 117 | + ([@SimenB](https://github.com/SimenB)) |
| 118 | + |
| 119 | +#### ELIMINATE UNUSED MODULE |
| 120 | + |
| 121 | +* [`b8c7cd7`](https://github.com/npm/npm/commit/b8c7cd7) |
| 122 | + [#12000](https://github.com/npm/npm/pull/12000) |
| 123 | + Stop depending on [`async-some`](https://npmjs.com/package/async-some) as it's no |
| 124 | + longer used in npm. |
| 125 | + ([@watilde](https://github.com/watilde)) |
| 126 | + |
| 127 | +#### DOCUMENTATION IMPROVEMENTS |
| 128 | + |
| 129 | +* [`fdd6b28`](https://github.com/npm/npm/commit/fdd6b28) |
| 130 | + [#11884](https://github.com/npm/npm/pull/11884) |
| 131 | + Include `node_modules` in the list of files and directories that npm won't |
| 132 | + include in packages ordinarily. (Modules listed in `bundledDependencies` and things |
| 133 | + that those modules rely on, ARE included of course.) |
| 134 | + ([@Jameskmonger](https://github.com/Jameskmonger)) |
| 135 | +* [`aac15eb`](https://github.com/npm/npm/commit/aac15eb) |
| 136 | + [#12006](https://github.com/npm/npm/pull/12006) |
| 137 | + Fix typo in npm-orgs documentation, where teams docs went to access docs and vice versa. |
| 138 | + ([@yaelz](https://github.com/yaelz)) |
| 139 | + |
| 140 | +#### FEWER NETWORK TESTS |
| 141 | + |
| 142 | +* [`3e41360`](https://github.com/npm/npm/commit/3e41360) |
| 143 | + [#11987](https://github.com/npm/npm/pull/11987) |
| 144 | + Fix test that was inappropriately hitting the network |
| 145 | + ([@yodeyer](https://github.com/yodeyer)) |
| 146 | + |
| 147 | +### v3.8.4 (2016-03-24) |
| 148 | + |
| 149 | +Was erroneously released with just a changelog typo correction and was |
| 150 | +otherwise the same as 3.8.3. |
| 151 | + |
1 | 152 | ### v3.8.3 (2016-03-17): |
2 | 153 |
|
| 154 | +#### SECURITY ADVISORY: BEARER TOKEN DISCLOSURE |
| 155 | + |
| 156 | +This release includes [the fix for a |
| 157 | +vulnerability](https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29) |
| 158 | +that could cause the unintentional leakage of bearer tokens. |
| 159 | + |
| 160 | +Here are details on this vulnerability and how it affects you. |
| 161 | + |
| 162 | +##### DETAILS |
| 163 | + |
| 164 | +Since 2014, npm’s registry has used HTTP bearer tokens to authenticate requests |
| 165 | +from the npm’s command-line interface. A design flaw meant that the CLI was |
| 166 | +sending these bearer tokens with _every_ request made by logged-in users, |
| 167 | +regardless of the destination of their request. (The bearers only should have |
| 168 | +been included for requests made against a registry or registries used for the |
| 169 | +current install.) |
| 170 | + |
| 171 | +An attacker could exploit this flaw by setting up an HTTP server that could |
| 172 | +collect authentication information, then use this authentication information to |
| 173 | +impersonate the users whose tokens they collected. This impersonation would |
| 174 | +allow them to do anything the compromised users could do, including publishing |
| 175 | +new versions of packages. |
| 176 | + |
| 177 | +With the fixes we’ve released, the CLI will only send bearer tokens with |
| 178 | +requests made against a registry. |
| 179 | + |
| 180 | +##### THINK YOU'RE AT RISK? REGENERATE YOUR TOKENS |
| 181 | + |
| 182 | +If you believe that your bearer token may have been leaked, [invalidate your |
| 183 | +current npm bearer tokens](https://www.npmjs.com/settings/tokens) and rerun |
| 184 | +`npm login` to generate new tokens. Keep in mind that this may cause continuous |
| 185 | +integration builds in services like Travis to break, in which case you’ll need |
| 186 | +to update the tokens in your CI server’s configuration. |
| 187 | + |
| 188 | +##### WILL THIS BREAK MY CURRENT SETUP? |
| 189 | + |
| 190 | +Maybe. |
| 191 | + |
| 192 | +npm’s CLI team believes that the fix won’t break any existing registry setups. |
| 193 | +Due to the large number of registry software suites out in the wild, though, |
| 194 | +it’s possible our change will be breaking in some cases. |
| 195 | + |
| 196 | +If so, please [file an issue](https://github.com/npm/npm/issues/new) describing |
| 197 | +the software you’re using and how it broke. Our team will work with you to |
| 198 | +mitigate the breakage. |
| 199 | + |
| 200 | +##### CREDIT & THANKS |
| 201 | + |
| 202 | +Thanks to Mitar, Will White & the team at Mapbox, Max Motovilov, and James |
| 203 | +Taylor for reporting this vulnerability to npm. |
| 204 | + |
3 | 205 | #### PERFORMANCE IMPROVEMENTS |
4 | 206 |
|
5 | | -The updated [`are-we-there-yet`](https://npm.com/package/are-we-there-yet) |
| 207 | +The updated [`are-we-there-yet`](https://npmjs.com/package/are-we-there-yet) |
6 | 208 | changes how it tracks how complete things are to be much more efficient. |
7 | 209 | The summary is that `are-we-there-yet` was refactored to remove an expensive |
8 | 210 | tree walk. |
|
0 commit comments