Version 5 of NPM is released and it is packed full of goodies! http://blog.npmjs.org/post/161081169345/v500
Bundled in all new installations of Node.js 8
New Features - A new, standardised lockfile feature meant for cross-package-manager compatibility (package-lock.json), and a new format and semantics for shrinkwrap. - --save is no longer necessary. All installs will be saved by default. You can prevent saving with --no-save. Installing optional and dev deps is unchanged - Installing a package directory now ends up creating a symlink and does the Right Thing™ as far as saving to and installing from the package lock goes. If you have a monorepo, this might make things much easier to work with, and probably a lot faster too. - Project-level (toplevel) preinstall scripts now run before anything else, and can modify node_modules before the CLI reads it. - Two new scripts have been added, prepack and postpack, which will run on both npm pack and npm publish, but NOT on npm install (without arguments). - Git dependencies with prepare scripts will now have their devDependencies installed, and their prepare script executed as if under npm pack. - Git dependencies now support semver-based matching: npm install git://github.com/npm/npm#semver:^5 - node-gyp now supports node-gyp.cmd on Windows - npm no longer blasts your screen with the whole installed tree. Instead, you’ll see a summary report of the install that is much kinder on your shell real-estate. Specially for large projects. (#15914): $ npm install npm added 125, removed 32, updated 148 and moved 5 packages in 5.032s. $ - Cache Rewrite! (lots of stuff there, read the blog post for more)
npm install npm@latest -g and PROFIT
We’ve reworked package metadata, package download, and package caching, and this has sped things up significantly. In general, expect performance improvements of 20–100%; we’ve also seen some installations and version bumps that run 5x faster.
Default lockfiles Shrinkwrap has been a part of npm for a long time, but npm@5 makes lockfiles the default, so all npm installs are now reproducible. The files you get when you install a given version of a package will be the same, every time you install it.
We’ve found countless common and time consuming problems can be tied to the “drift” that occurs when different developer environments utilize different package versions. With default lockfiles, this is no longer a problem. You won’t lose time trying to figure out a bug only to learn that it came from people running different versions of a library.
SHA-512 hashes npm@5 adds support for any tarball hash function supported by Node.js, and it publishes with SHA-512 hashes. By checking all downloaded packages, you’re protected against data corruption and malicious attacks, and you can trust that the code you download from the registry is consistent and safe.
Self-healing cache Our new caching is wicked fast, but it’s also more resilient. Multiple npm processes won’t corrupt a shared cache, and npm@5 will check data on both insertion and extraction to prevent installing corrupted data. If a cache entry fails an integrity check, npm@5 will automatically remove it and re-fetch.
What About Yarn? Episode 91 talks about Yarn and the possibility of NPM having the same behaviours in the future