feat: Use npm v7 #304
Merged
feat: Use npm v7 #304
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Not sure why the integration tests fail with 403 errors. |
|
Thanks a lot Daniel, I really want us to upgrade to |
|
Possible a bit off-topic but I am a bit curious as to why it has to be a dependency at all, is not not possible to use system npm? |
the problem is compatibility. WE don't know what system npm version you have and making sure that the code is compatible with all current and future version is a maintenance nightmare |
But it is also a bit nightmare-ish for users? It pulls many extra dependencies (some with security vulnerabilities) and it also causes incompatibilities in run scripts, e.g. system with npm 7 uses npm 6 (or vice versa after this PR) when using But I get your point, I was mostly curious about the reasoning. |
|
Expect this issue to have more activity in the coming days, we received this notification two hours ago from dependabot. edit: Link to GHSA: GHSA-vx3p-948g-6vhq /
|
|
@gr2m I figured out why the integration tests fail, It is only because npm v7 does not set the maintainers field anymore on publish, but npm-registry-couchapp requires it to be set. To fix this I switched to the proper npm registry verdaccio instead of the docker image from here. Now all the test seems to work :) |
ext
approved these changes
Mar 30, 2021
gr2m
reviewed
Mar 30, 2021
|
|
||
| // Verify the logger has been called with the version updated | ||
| t.deepEqual(t.context.log.args[0], ['Write version %s to package.json in %s', '1.0.0', cwd]); | ||
| }); |
There was a problem hiding this comment.
Because it was testing npm internal stuff. Npm v7 does not format package.json files anymore, so this test failed because no newlines were present in the expected package.json.
I could have "fixed" the test and adjusted the expected output, but the test before this one (Preserve indentation and newline) does exactly the same thing then and the testname would have not really described anymore what it is testing. So I decided to remove it.
|
🎉 This PR is included in version 7.1.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
|
This won't result in projects still using the old format publishing with the new This may not technically be breaking, but it is causing issues for some of our tooling that was calling npm and expecting the v6 output. |
|
Is the |
|
Hey @danez. 👋 Hope you are doing well. We've updated semantic-release/npm from 7.0.10 to 7.1.0 and since then our release flow isn't able to pubish packages anymore to our private repository due to an authentification error. The release is performed inside a Github action providing an - name: Release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
run: npm run release -- --debugThe error we're receiving is Reverting the dependency update made our releases to finish successfully again. Do you have any advice where to look for a fix? |
|
hey @weaintplastic, That is odd as this error only appears if no credentials are found for the registry. https://github.com/npm/cli/blob/latest/lib/publish.js#L99-L109 what is the npm version that is now installed in your project? |
|
@danez we are using node 15 and npm 7. we have a |
travi
added a commit
to semantic-release/semantic-release
that referenced
this pull request
Sep 3, 2021
which required swapping the registry from the integration tests to verdaccio, similar to the change in semantic-release/npm#304 for #2055
electroluxcode
pushed a commit
to electroluxcode/npm
that referenced
this pull request
Jun 15, 2025
# 1.0.0 (2025-06-15) ### Bug Fixes * add `preferLocal` option to allow execa to use local npm version ([semantic-release#445](https://github.com/electroluxcode/npm/issues/445)) ([002439e](002439e)) * add dist-tag to publish and add-channel logs ([db6ccd2](db6ccd2)) * add dist-tag to publish log ([2de37a1](2de37a1)) * add message if no gitHead found ([9cde647](9cde647)) * add missed `preferLocal` option for execa call ([semantic-release#458](https://github.com/electroluxcode/npm/issues/458)) ([c817a88](c817a88)) * **aggregate-error:** upgraded to the latest version ([7285e05](7285e05)) * always attempt to set the legacy token env var ([2432eb0](2432eb0)) * avoid adding unnecessary new line to `.npmrc` ([6189ee7](6189ee7)) * check publish props only in verify ones are undefined ([dc9f08c](dc9f08c)) * ci ([0892bf4](0892bf4)) * ci ([47078ee](47078ee)) * **deps:** raised the minimum accepted range of npm to v10.5.0 ([semantic-release#759](https://github.com/electroluxcode/npm/issues/759)) ([a0313f8](a0313f8)), closes [semantic-release/semantic-release#3202](semantic-release/semantic-release#3202) * **deps:** update dependency @semantic-release/error to v3 ([semantic-release#402](https://github.com/electroluxcode/npm/issues/402)) ([60832fb](60832fb)) * **deps:** update dependency @semantic-release/error to v4 ([semantic-release#628](https://github.com/electroluxcode/npm/issues/628)) ([53a1012](53a1012)) * **deps:** update dependency aggregate-error to v5 ([semantic-release#676](https://github.com/electroluxcode/npm/issues/676)) ([f2bc9e7](f2bc9e7)) * **deps:** update dependency execa to v5 ([semantic-release#299](https://github.com/electroluxcode/npm/issues/299)) ([d4e5bb2](d4e5bb2)) * **deps:** update dependency execa to v7 ([semantic-release#575](https://github.com/electroluxcode/npm/issues/575)) ([4c11706](4c11706)) * **deps:** update dependency execa to v8 ([semantic-release#659](https://github.com/electroluxcode/npm/issues/659)) ([502d5ba](502d5ba)) * **deps:** update dependency execa to v9 ([9ac5ed0](9ac5ed0)) * **deps:** update dependency fs-extra to v10 ([80fde1e](80fde1e)) * **deps:** update dependency fs-extra to v11 ([7157d76](7157d76)) * **deps:** update dependency fs-extra to v11.1.1 ([semantic-release#591](https://github.com/electroluxcode/npm/issues/591)) ([31e0e27](31e0e27)) * **deps:** update dependency normalize-url to v6 ([97ca719](97ca719)) * **deps:** update dependency npm to v10 ([819f257](819f257)) * **deps:** update dependency npm to v10.2.5 ([42b5dec](42b5dec)) * **deps:** update dependency npm to v9 ([28265ec](28265ec)) * **deps:** update dependency read-pkg to v8 ([semantic-release#602](https://github.com/electroluxcode/npm/issues/602)) ([aaddc5c](aaddc5c)) * **deps:** update dependency read-pkg to v9 ([semantic-release#703](https://github.com/electroluxcode/npm/issues/703)) ([6e84013](6e84013)) * **deps:** update dependency registry-auth-token to v5 ([187671f](187671f)) * **deps:** update dependency tempy to ^0.7.0 ([semantic-release#287](https://github.com/electroluxcode/npm/issues/287)) ([dd25707](dd25707)) * **deps:** update dependency tempy to v1 ([semantic-release#289](https://github.com/electroluxcode/npm/issues/289)) ([5a1dbb8](5a1dbb8)) * **deps:** upgraded npm to v9 ([2a79f80](2a79f80)) * do not make `package.json`'s version mandatory ([eda41f0](eda41f0)) * do not use `execa.stdout.pipe` as it closes the stream ([544d4c7](544d4c7)) * **execa:** upgraded to the latest version ([7c74660](7c74660)) * factorise the verification code in a function ([8e28af9](8e28af9)) * fix error handling when no npm token is defined ([a548415](a548415)) * fix typo in error message ([18a4d64](18a4d64)) * format `package.json` and `npm-shrinkwrap.json` as `npm` ([da718a3](da718a3)) * get tarball name as last line from stdout ([cec8078](cec8078)) * Honor NPM_CONFIG_USERCONFIG setting ([932ea5e](932ea5e)) * Honor NPM_CONFIG_USERCONFIG setting ([1395b18](1395b18)) * improve error message text for npm tokens ([semantic-release#323](https://github.com/electroluxcode/npm/issues/323)) ([88e5862](88e5862)) * include version in npm release URL ([827fcb3](827fcb3)) * log the output of `npm whoami` command ([cd1ecaa](cd1ecaa)) * log the path of existing `.npmrc` files ([a0120d2](a0120d2)) * **normalize-url:** upgraded to the latest version ([b55bb01](b55bb01)) * **package:** pin npm to 6.5.0 ([ddab7b7](ddab7b7)) * **package:** pin npm to 6.5.0 ([d506b9a](d506b9a)) * **package:** update aggregate-error to version 2.0.0 ([df53298](df53298)) * **package:** update aggregate-error to version 2.0.0 ([8386664](8386664)) * **package:** update aggregate-error to version 3.0.0 ([3e0d5d0](3e0d5d0)) * **package:** update aggregate-error to version 3.0.0 ([46ec5ee](46ec5ee)) * **package:** update execa to version 0.10.0 ([f92254f](f92254f)) * **package:** update execa to version 0.11.0 ([b2dd3d7](b2dd3d7)) * **package:** update execa to version 0.9.0 ([a39db0e](a39db0e)) * **package:** update execa to version 1.0.0 ([746f734](746f734)) * **package:** update execa to version 2.0.0 ([9498e21](9498e21)) * **package:** update execa to version 2.0.2 ([d2932ba](d2932ba)) * **package:** update execa to version 2.0.2 ([2a45e25](2a45e25)) * **package:** update execa to version 3.0.0 ([b1780c1](b1780c1)) * **package:** update execa to version 3.2.0 ([7db019f](7db019f)) * **package:** update execa to version 4.0.0 ([d97dee5](d97dee5)) * **package:** update fs-extra to version 5.0.0 ([78c201f](78c201f)) * **package:** update fs-extra to version 6.0.0 ([e9d0db5](e9d0db5)) * **package:** update fs-extra to version 7.0.0 ([14f9d11](14f9d11)) * **package:** update fs-extra to version 8.0.0 ([bf603e5](bf603e5)) * **package:** update fs-extra to version 8.0.0 ([8288c24](8288c24)) * **package:** update fs-extra to version 9.0.0 ([67a3109](67a3109)) * **package:** update node requirement to 8.3 ([c2c59ab](c2c59ab)) * **package:** update normalize-url to version 3.0.0 ([d12b00b](d12b00b)) * **package:** update normalize-url to version 4.0.0 ([ee787b4](ee787b4)) * **package:** update normalize-url to version 5.0.0 ([a554580](a554580)) * **package:** update npm to version 6.8.0 ([2b0492e](2b0492e)) * **package:** update npm to version 6.8.0 ([62b27c5](62b27c5)) * **package:** update read-pkg to version 4.0.0 ([1e21691](1e21691)) * **package:** update read-pkg to version 5.0.0 ([877ce40](877ce40)) * **package:** update read-pkg to version 5.0.0 ([d03aff2](d03aff2)) * **package:** update registry-auth-token to version 4.0.0 ([2868b2c](2868b2c)) * **package:** update registry-auth-token to version 4.0.0 ([9a6176d](9a6176d)) * **package:** update semver to version 6.3.0 ([c515862](c515862)) * **package:** update semver to version 7.1.2 ([a58b30b](a58b30b)) * **package:** update tempy to version 0.4.0 ([4874bf6](4874bf6)) * **package:** update tempy to version 0.5.0 ([6ffff19](6ffff19)) * **package:** update vulnerable dependencies ([semantic-release#185](https://github.com/electroluxcode/npm/issues/185)) ([a96c6da](a96c6da)) * **package:** update vulnerable dependencies ([semantic-release#185](https://github.com/electroluxcode/npm/issues/185)) ([c663276](c663276)) * Pass registry URL to `npm` CLI with `--registry` ([187b823](187b823)) * preserve `package.json` and `npm-shrinkwrap.json` formatting ([abcc70b](abcc70b)) * preserve config in both home and local `.npmrc` ([de677ea](de677ea)) * **README:** correct docs on authentication ([semantic-release#413](https://github.com/electroluxcode/npm/issues/413)) ([f089d9d](f089d9d)) * remove support for legacy auth ([51ab3c8](51ab3c8)) * remove unecessary `Buffer.from` in `lib/set-npmrc-auth.js` ([d79b865](d79b865)) * require Node.js >=8.16 ([fce3a67](fce3a67)) * return `false` if the npm publish is skipped ([4a41228](4a41228)) * return `false` if the npm publish is skipped ([45890fd](45890fd)) * return `false` in `addChannel` if package is not published on npm ([5434bab](5434bab)) * Return `undefined` when no version is found ([b78535e](b78535e)) * revert to execa `^1.0.0` ([6f40669](6f40669)) * **revert): "fix(deps:** update dependency npm to v9" ([semantic-release#561](https://github.com/electroluxcode/npm/issues/561)) ([c28a848](c28a848)) * skip auth verification when skipping publish to registry ([1e612b6](1e612b6)) * skip npm auth verification if npmPublish is false ([4cd5cd7](4cd5cd7)) * skip tarball move if config is `cwd` ([a224497](a224497)) * skip tarball move if config is `cwd` ([a457fdc](a457fdc)) * stream command output to `stdout` and `stderr` ([5951b30](5951b30)) * **tempy:** upgraded to the latest version of tempy ([f1992a5](f1992a5)) * update required node and npm version ([semantic-release#273](https://github.com/electroluxcode/npm/issues/273)) ([493fbad](493fbad)) * updated the peer requirement for `semantic-release` to the new stable version ([575a5a4](575a5a4)) * updated the peer requirement on `semantic-release` to a version matching the engines definition of this package ([2d1f5f2](2d1f5f2)) * upgrade npm dependency to v8 ([a12d6e5](a12d6e5)) * use `logger` instead of writing on `stdout` ([0b9688a](0b9688a)) * use correct peerDependencies for semantic-release ([8b47e7b](8b47e7b)) * use NPM_CONFIG_USERCONFIG in get-registry to match auth ([semantic-release#362](https://github.com/electroluxcode/npm/issues/362)) ([13200ca](13200ca)) * validate only known options ([648b21b](648b21b)) * verify authentication for default npm registry only ([8cb4c04](8cb4c04)) ### chore * require Node.js >=10.18 ([8140f0f](8140f0f)) ### Code Refactoring * **esm:** converted the package to esm ([2d8ff15](2d8ff15)) ### Features * add `addChannel` plugin step ([fb96126](fb96126)) * add `details` to error messages ([b14d34d](b14d34d)) * Add `npmPublish` and `tarballDir` options ([d04a9b0](d04a9b0)) * add `pkgRoot` option to publish a sub-directory ([e36a56b](e36a56b)) * add dependency to `npm` ([b180a95](b180a95)) * add npm version hook ([8f3d6f9](8f3d6f9)) * allow to configure the registry via `NPM_CONFIG_REGISTRY` ([0126704](0126704)) * branch trigger ([2e2c0a7](2e2c0a7)) * ci ([1238cd9](1238cd9)) * **exports:** defined `exports` to point at ./index.js ([9e193c2](9e193c2)) * Initial release ([55c1014](55c1014)) * log npm CLI output to `stdout`/`stderr` ([c8e2ba4](c8e2ba4)) * **node-version:** raised the minimum required version to v14.17 ([semantic-release#387](https://github.com/electroluxcode/npm/issues/387)) ([semantic-release#399](https://github.com/electroluxcode/npm/issues/399)) ([f65e49d](f65e49d)) * **node-versions:** dropped support for node v18 and v19 ([2df962b](2df962b)) * **node-versions:** dropped support for node versions below v18 ([aff3574](aff3574)) * **node-versions:** raised the minimum required node version to v18.17 and dropped v19 support ([6413130](6413130)) * preserve indetentation and newline type of package.json ([bd74f54](bd74f54)) * preserve local `.npmrc` file ([8726eff](8726eff)) * Read package.json file instead using the one passed by semantic-release ([8565d9d](8565d9d)) * remove `getLastRelease` hook ([9383a98](9383a98)) * require Node.js >=10.13 ([6426458](6426458)) * require Node.js >=8.15 ([4caf538](4caf538)) * retrieve gitHead from git tag if it's missing from the npm metadata ([cf039fd](cf039fd)) * return all errors ([e611dad](e611dad)) * Return async functions ([2058e9e](2058e9e)) * return release informations from `publish` hook ([755356b](755356b)) * **semantic-release-peer:** raised the minimum peer requirement to the first version that supports loading esm plugins ([22e70ad](22e70ad)) * skip publising if the `package.json` `private` prop is `true` ([7052c9f](7052c9f)) * support `nextRelease.channel` property in `publish` step ([b8deba7](b8deba7)) * Support legacy authentication ([5fb0b09](5fb0b09)) * update `package.json` with `npm version` ([e8fe729](e8fe729)) * update package.json and create tarball in `prepare` hook ([f7b73e5](f7b73e5)) * update version in `package-lock.json` ([0f774fc](0f774fc)) * url trigger ([31bdeeb](31bdeeb)) * use `cwd` and `env` options passed by core ([f2e30c7](f2e30c7)) * Use always-auth from .npmrc ([b0635c3](b0635c3)), closes [semantic-release#6](https://github.com/electroluxcode/npm/issues/6) * use npm v7 ([semantic-release#304](https://github.com/electroluxcode/npm/issues/304)) ([a15c017](a15c017)) * verify `package.json` has a `version` property ([3c975df](3c975df)) ### Reverts * Revert "chore(deps): update dependency p-retry to v5 ([semantic-release#424](https://github.com/electroluxcode/npm/issues/424))" ([semantic-release#425](https://github.com/electroluxcode/npm/issues/425)) ([df11027](df11027)) ### BREAKING CHANGES * **exports:** `exports` has been defined, which prevents access to private apis (which arent intended for consumption anyway) * **node-versions:** node v18 and v19 are no longer supported * **node-versions:** node v18.17 is now the minimum required version and support for v19 has been dropped * **deps:** the direct dependency on npm has been upgraded to v9. details of breaking changes can be found at https://github.com/npm/cli/releases/tag/v9.0.0 * **semantic-release-peer:** the required version of semantic-release has been raised to v20.1.0 in order to support loading of ESM plugins * **aggregate-error:** due to the aggregate-error upgrade, thrown errors are no longer iterable, but instead list the errors under an `errors` property * legacy authentication using `NPM_USERNAME` and `NPM_PASSWORD` is no longer supported. Use `NPM_TOKEN` instead. * **node-versions:** node v18 is now the minimum required node version * **esm:** `@semantic-release/npm` is now a native ES Module. It has named exports for each plugin hook (`verifyConditions`, `prepare`, `publish`, `addChannel`) * the minimum required peer of `semantic-release` has been raised to match the `engines.node` requirements of this package * npm v8 dropped support for node v15, so it is no longer supported in this plugin. this should be low impact since node v15 is already EOL Co-authored-by: Matt Travi <programmer@travi.org> * **node-version:** the minimum required version of node is now v14.17 Co-authored-by: Matt Travi <programmer@travi.org> * Require Node.js >= 10.18 * Require Node.js >= 10.13 * Require Node.js => 8.15 * require `semantic-release` >= `15.9.0` * require `semantic-release` >= `15.8.0` * The `getLastRelease` hook is removed The plugin is compatible only with `semantic-release@13.0.0` and above. * Return async functions instead of functions calling a callback
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I updated npm from v6 to v7. Reading the blogposts there shouldn't be any breaking changes, at least not in the functionality that semantic-release uses.
One test failed, but it was testing npm internal stuff about formating of package.json, so I removed it. (npm v7 does seem to preserve whatever formatting is in the file and just replace the version.) Hope that is okay?