npm 7 is now generally available!
After much anticipation, the npm CLI version 7 is now generally available!
After much anticipation, the npm CLI version 7 is now generally available!
In addition to new features and some breaking changes, we have made a significant impact on the performance of npm 7 as compared to npm 6 including:
- Increasing our development velocity/tempo to a weekly release cadence, most notably: we shipped 45 releases since August (an average of ~two a week)
- Reducing dependencies by ~46% (67 in npm 7 and 123 in npm 6)
- Increasing code coverage by ~17% (94% in npm 7 vs. 77% in npm 6)
- Seeing significant performance improvements in various benchmarks across various examples
Please note, npm 7 is now published as latest to the npm registry and will be the default version installed when you run npm install --global npm. If you want to install npm 6, please run npm install --global npm@6.
Breaking changes
Despite the massive overhaul to the internals of npm, we have worked tirelessly to ensure that there will be minimal disruptions to most workflows. That said, some changes are necessary to improve the overall developer experience. You can read up on the breaking changes in the announcement blog.
Changes to the lockfile
One change to take note of is the new lockfile format, which is backwards compatible with npm 6 users. The lockfile v2 unlocks the ability to do deterministic and reproducible builds to produce a package tree.
In prior versions, the yarn.lock files were ignored, the npm CLI can now use yarn.lock as the source of package metadata and resolution guidance. If a yarn.lock file is present, then npm will also keep it up-to-date with the contents of the package tree.
Running npm install with npm 7 in a project with a v1 lockfile will replace that lockfile with the new v2 format. To avoid this, you can run npm install --no-save.
Peer dependencies
Automatically installing peer dependencies is an exciting new feature introduced in npm 7. In previous versions of npm (4-6), peer dependencies conflicts presented a warning that versions were not compatible, but would still install dependencies without an error. npm 7 will block installations if an upstream dependency conflict is present that cannot be automatically resolved.
You have the option to retry with --force to bypass the conflict or --legacy-peer-deps command to ignore peer dependencies entirely (this behavior is similar to versions 4-6).
Since many packages in the ecosystem have come to rely on loose peer dependencies resolutions, npm 7 will print a warning and work around most peer conflicts that exist deep within the package tree, since you can’t fix those anyway. To enforce strictly correct peer dependency resolutions at all levels, use the --strict-peer-deps flag.
Thank you
We want to conclude by giving a big shout out to our community members who submitted changes, participated in the RFC calls, provided feedback, and were early adopters. We strive to continue to improve the npm CLI, so If you have future feedback, please leverage the npm/feedback repository discussions.
Written by
Related posts
Announcing GitHub Secure Open Source Fund: Help secure the open source ecosystem for everyone
Applications for the new GitHub Secure Open Source Fund are now open! Applications will be reviewed on a rolling basis until they close on January 7 at 11:59 pm PT. Programming and funding will begin in early 2025.
Software is a team sport: Building the future of software development together
Microsoft and GitHub are committed to empowering developers around the world to innovate, collaborate, and create solutions that’ll shape the next generation of technology.
Does GitHub Copilot improve code quality? Here’s what the data says
Findings in our latest study show that the quality of code written with GitHub Copilot is significantly more functional, readable, reliable, maintainable, and concise.