The npm Blog

This week npm@6 is going to be promoted to latest and so now is an excellent time to look forward. If you dig into it you’ll find that it doesn’t have much in the way of breaking changes. Later this year we’ll be releasing npm@7. First there are a few new features, these will initially ship as npm@6 minor releases:

• We will be introducing package aliases as described in #5499 for use with assets, to support conflict resolution.
• As an optimization, npm install will be updated to be an alias for npm ci when they would produce the same result, that is, that your package-lock is compatible with your package.json and you’re starting with no node_modules.
• Combine bundling and the v8 compile cache to reduce latency when running the npm cli.

The breaking changes in npm@7 should not be disruptive but are important:

• npm login and npm adduser will finally be split apart. Up till now they’ve been the same command, which is why npm login prompted for an email address.
• npm init will be getting an overhaul, both with allowing easy third-party init templates and with some new one’s from us, to help you configure your CI and git environments.
• Changes to how npm runs under sudo and how it handles permissions as root to make it less surprising. Look for a new RFC soon!
• The npm link rewrite as described in its associated RFC.
• Output from preinstall, install and postinstall scripts when running for a dependency will have their output captured and it will only be displayed if there’s an error. They will run with stdin closed. This means that install lifecycle scripts in projects installed as dependencies will not be able to be interactive. For all other lifecycle scripts, output will be captured and routed to the log and also outputted to stdout.
• Allow package aliases to be used for any dependency type.

After npm@7, in the late summer and fall of 2018, our plans are somewhat more tentative, but we have a few things we’d like to get out to you all:

• npx has been a huge success, but it can mean that you’re running untrusted code from the registry. We have a number of thoughts about how to improve its security, from looking for known vulnerabilities to catching typo-squatting.
• Integrating the functionality of shrinkpack into npm directly. This would allow for entirely offline deploys even without a cache. It will also let you deploy with git dependencies without having git installed on your production machines.
• We have two installation engines with different tradeoffs in npm install and npm ci. If one fails due to certain classes of error then we should try the other.
• Workspaces, as seen in Yarn, for management of certain kinds of monorepos.
• An option to run npm in low memory environments, this would disable in-memory caching of data at the cost of speed.
• Begin exploring updating dependencies in your package.json from your source code… (npm init auto?)

As we work our way through the year we will likely be rewriting a number of other components in npm, either as we need them or as the community provides them.

• Stand alone libraries to generate a “logical tree”, that is, one that represents the relationships between modules but not their locations on disk.
• New, faster, on-disk tree readers that produce trees like the above from an existing node_modules.
• Two-pass installer where resolution of the logical tree is distinct from computing the physical tree. With this we may be able to, at long last, end the pain around peerDependencies.
• Many years ago, npm’s configuration was extracted as a stand alone module, but it was so tightly coupled with the rest of npm that we ultimately brought it back in. We’ve been slowly working on extracting it again, carefully decoupling it from the rest of the code base.
• npm outdated could use with a rewrite as it has the hackiest of shims to make it work at all. It was originally designed to run off of read-installed output which is what npm@1 and npm@2 used to read node_modules. A version that was designed to run off of modern npm data structures would be much easier to understand.
• Similarly, npm ls would benefit a great deal from being updated to work off of modern data structures.
• We’ve nearly eliminated npm-registry-client (and in turn request) from the npm code base. With the advent of npm-registry-fetch (which is based off make-fetch-happen and in turn node-fetch) we can finally complete this.
• Once we have support for Workspaces, npm itself could benefit from bringing a bunch of its closely related modules together into a monorepo.

For more…

Watch this blog, follow @npmjs on Twitter and subscribe to our newsletter!

If you want to follow development as it happens the best place to go is #js-npm on the package.commmunity discord.