Release: npm@6.4.0-next.0


(Kat Marchán) #1

A new prerelease of the npm cli has been tagged!

You can install it with npm i -g npm@next or try it out with npx npm@next …

Prereleases are promoted to latest after a week if no serious issues stop them. Please give it a whirl and tell us what you think!

latest: 6.3.0
next: 6.4.0-next.0

Oh and… we’re gonna start including changelogs in here directly, instead of linking to the blog! That should help center our activity around more :)


  • 6e9f04b0b npm/cli#8 Search for authentication token defined by environment variables by preventing the translation layer from env variable to npm option from breaking :_authToken. (@mkhl)
  • 84bfd23e7 npm/cli#35 Stop filtering out non-IPv4 addresses from local-addrs, making npm actually use IPv6 addresses when it must. (@valentin2105)
  • 792c8c709 npm/cli#31 configurable audit level for non-zero exit npm audit currently exits with exit code 1 if any vulnerabilities are found of any level. Add a flag of --audit-level to npm audit to allow it to pass if only vulnerabilities below a certain level are found. Example: npm audit --audit-level=high will exit with 0 if only low or moderate level vulns are detected. (@lennym)



A very special dependency update event! Since the release of node-gyp@3.8.0, an awkward version conflict that was preventing request from begin flattened was resolved. This means two things:

  1. We’ve cut down the npm tarball size by another 200kb, to 4.6MB
  2. npm audit now shows no vulnerabilities for npm itself!

Thanks, @rvagg!


npm i npm@6.2.0 (latest) shows security noise