Release: npm@6.9.1-next.0

A new pre-release has been tagged!

You can install it with npm i -g npm@next or try it out with $ npx npm@next ... ! :sparkling_heart:

BUGFIXES

DEPENDENCIES

2 Likes

Is there a release date for 6.9.1? Where is the best place to watch for this information?

Probably at https://github.com/npm/cli/commits/release-next where the releases are prepared.

A new release is desperately needed. Any project that relies on npm hasn’t been able to pass npm audit since April.

Not sure why you would want to add npm as local dependency in a package.json file. This should never be the case. Or I misunderstood this.

@DanielRuf npm is a dependency of for instance the @semantic-release/npm plugin, see https://github.com/semantic-release/npm/blob/master/package.json#L34 and also Can't update `tar`

1 Like

Yes, this exactly. Every single package I administer uses semantic-release, so for the past two months every single package has been failing npm audit.

I used to have npm audit in my CI pipeline, but by now it’s been disabled in all of those projects. The odds of a vulnerability in a dependency of semantic-release causing problems is highly unlikely to put it mildly, but despite many people being interested in an npm audit --production flag, and a promise that it was a WIP over a year ago, this option still hasn’t materialized.

On top of this, dependabot constantly harasses me about upgrading tar 2.2.1 to 2.2.2. It tries to upgrade it by editing package-lock.json directly, apparently, but to no avail because the next time you npm install, npm will helpfully downgrade the package for you, thanks to the fact that npm pacakge uses bundled dependencies.

And if none of that sways you, npm has been shipping a product with a known security vulnerability for the past two months (and tar is their own package, so it’s not like they were waiting on someone else to fix it).

While the github link to the releases may be helpful to see what is released there does not appear to be any verified information since March 19th. All other information is unverified and there does not seem to be any announcement, through any other resources on the github account.

I maintain a product who’s builds run the Audit commands to generate a known issue report that can be addressed on a regular basis. This allows the product team to be aware of which packages have introduced issues and then triage them accordingly. It was not until 6.9.0 which introduced a bug which 6.9.1-next fix, but this forced us to lock our builds down to 6.8.x. This caused all kinds of headaches in our process. It would be nice to be able to get back to our old cadence. :frowning:

While the github link to the releases may be helpful to see what is released there does not appear to be any verified information since March 19th.

Do you count

?