The recent changes to improve protocol security on GitHub.com are now coming to GitHub Enterprise Server, starting with version 3.6.
We first introduced npm v7 back in May. Today, we are excited to announce the release of npm v7.0.0, which will be shipping with Node.js 15.0.0 next week. If you would like to try it out now, you can install today by running
npm i -g npm@7 in your terminal.
npm 7 comes with some long-awaited and requested features including:
- Workspaces: a set of features to the npm CLI that provide support to managing multiple packages from within a singular top-level, root package
- Automatically installing peer dependencies: prior to npm 7 developers needed to manage and install their own peer dependencies. The new peer dependency algorithm ensures that a validly matching peer dependency is found at or above the peer-dependent’s location in the node_modules tree.
- package-lock v2 and support for yarn.lock: Our new package-lock format will unlock the ability to do deterministically reproducible builds and includes everything npm will need to fully build the package tree. Prior to npm 7 yarn.lock files were ignored, the npm cli can now use yarn.lock as source of package metadata and resolution guidance.
The internals of npm have been significantly refactored. There has been a large effort on separating concerns. For example, the inspection and management of the node_modules tree has been moved to the module Arborist. You can read about Arborist in this post on the npmjs blog.
These internal changes will ensure that the npm code base is more reliable over time and easier to maintain. With fewer bugs and a faster iteration cycle we will be able to deliver updates to npm faster than ever before.
We’ve been smoke-testing npm 7.0.0 using the Node.js smoke testing suite CITGM and are happy to report that despite massive internal changes, there are no new modules failing with npm 7 vs npm 6 when run against 120+ highly relied upon modules!
Despite the massive overhaul to the internals of npm, the team has worked tirelessly to ensure that there will be minimal disruptions to most workflows. That said, some breaking changes are necessary to improve the overall developer experience. Breaking changes in npm 7.0.0 include:
- Automatically installing peer dependencies (while this feature is something we think is desirable new behavior, it does potentially break certain workflows).
- npm uses the
package.exportsfield making it no longer possible to
require()npm’s internal modules.
npxhas been completely rewritten to use the
npm execcommand. There are various changes in functionality, most noticeable being a prompt if the module you are trying to run is not yet installed.
- The output of
npm audithas significantly changed both in the human-readable and
To learn more about the breaking changes in npm 7.0.0 please check out our in-depth post on the npmjs.com blog.
We know npm 7 is a big change, and we want to take extra care to not break the millions of workflows that use npm, especially in production. For this reason, we are going to take a page from Node.js and roll this release out over time.
npm 7.0.0. will not be marked as
latest; your workflows will not get npm v7.0.0 by default unless you opt in by running
npm install -g npm@7 or install Node.js 15.
While we are confident that this release is ready to use daily, we want more real world use to get your feedback and bug reports. When we are sure that npm 7 has met the bar to be included in a Node.js LTS release, we will be publishing the release line as
We will also continue to improve the npm CLI with new features including improvements to workspaces and package overrides. If you have ideas for features for the npm CLI please check out our RFC repo and open an issue!