Presenting v7.0.0 of the npm CLI

Image of Myles Borins

It’s hard to believe that just over 11 years ago the JavaScript community didn’t have npm. Fast forward to today, and npm now has millions of developers and over 1.3M packages with 75B downloads a month.

We first introduced npm v7 back in May. Today, we are excited to announce the release of npm v7.0.0, which will be shipping with Node.js 15.0.0 next week. If you would like to try it out now, you can install today by running npm i -g npm@7 in your terminal.

Exciting new features

npm 7 comes with some long-awaited and requested features including:

  • Workspaces: a set of features to the npm CLI that provide support to managing multiple packages from within a singular top-level, root package
  • Automatically installing peer dependencies: prior to npm 7 developers needed to manage and install their own peer dependencies. The new peer dependency algorithm ensures that a validly matching peer dependency is found at or above the peer-dependent’s location in the node_modules tree.
  • package-lock v2 and support for yarn.lock: Our new package-lock format will unlock the ability to do deterministically reproducible builds and includes everything npm will need to fully build the package tree. Prior to npm 7 yarn.lock files were ignored, the npm cli can now use yarn.lock as source of package metadata and resolution guidance.

What’s old is new again

The internals of npm have been significantly refactored. There has been a large effort on separating concerns. For example, the inspection and management of the node_modules tree has been moved to the module Arborist. You can read about Arborist in this post on the npmjs blog.

These internal changes will ensure that the npm code base is more reliable over time and easier to maintain. With fewer bugs and a faster iteration cycle we will be able to deliver updates to npm faster than ever before.

We’ve been smoke-testing npm 7.0.0 using the Node.js smoke testing suite CITGM and are happy to report that despite massive internal changes, there are no new modules failing with npm 7 vs npm 6 when run against 120+ highly relied upon modules!

Breaking changes

Despite the massive overhaul to the internals of npm, the team has worked tirelessly to ensure that there will be minimal disruptions to most workflows. That said, some breaking changes are necessary to improve the overall developer experience. Breaking changes in npm 7.0.0 include:

  • Automatically installing peer dependencies (while this feature is something we think is desirable new behavior, it does potentially break certain workflows).
  • npm uses the package.exports field making it no longer possible to require() npm’s internal modules.
  • npx has been completely rewritten to use the npm exec command. There are various changes in functionality, most noticeable being a prompt if the module you are trying to run is not yet installed.
  • The output of npm audit has significantly changed both in the human-readable and --json output styles.

To learn more about the breaking changes in npm 7.0.0 please check out our in-depth post on the npmjs.com blog.

What’s next

We know npm 7 is a big change, and we want to take extra care to not break the millions of workflows that use npm, especially in production. For this reason, we are going to take a page from Node.js and roll this release out over time.

npm 7.0.0. will not be marked as latest; your workflows will not get npm v7.0.0 by default unless you opt in by running npm install -g npm@7 or install Node.js 15.

While we are confident that this release is ready to use daily, we want more real world use to get your feedback and bug reports. When we are sure that npm 7 has met the bar to be included in a Node.js LTS release, we will be publishing the release line as latest.

We will also continue to improve the npm CLI with new features including improvements to workspaces and package overrides. If you have ideas for features for the npm CLI please check out our RFC repo and open an issue!