npm v9.0.0 released

--- title: "npm v9.0.0 released" labels: npm, cli, major, release date: 2022-10-19 --- The `npm` CLI team has been working hard over the past few months and are happy to announce the release of the next major version - [`v9.0.0`](hhttps://github.com/npm/cli/releases/tag/v9.0.0) - today! ### Installation You can start using `npm` `v9.0.0` today by running: ```bash $ npm i -g npm@9 ``` ### About this release Our goal with this major release was to standardize appropriate defaults and clean up legacy configurations where possible. We believe the changes made lay the ground-work for future improvements to the default `npm` experience long-term. Notably, Docker users should find this release to to be beneficial as we simplifie file permissions (ref. [#5703](https://github.com/npm/cli/pull/5703) & [#5704](https://github.com/npm/cli/pull/5704)). ### Timeline to GA Although we have published `v9.0.0` today, we are not immediately setting this release to `latest` in the npm registry or considering this "Generally Available." Our team has been [coordinating with the Node.js Release WG](https://github.com/nodejs/Release/issues/778) on a phased approach to making `v9` the next major version of the CLI available to the widest audience; this means ensuring `v9` can be safely backported to as many Node.js LTS versions as possible. With that in mind, we've put together a phased roll-out plan outlined below: - **Wednesday Oct. 19th** (today) - `npm@9.0.0` is released & set to the `next-9` dist-tag (previously used for pre-releases) - The CLI team will continue to cut minor & patch versions of `v9.x`, addressing any feedback or unexpected issues arising from the breaking changes (outlined below) - **Wednesday Nov. 9th** (General Availability) - To ensure `npm@9.x` is considered "non-breaking" for Node.js LTS we will codify a set of exit criteria in collaboration with the [Release WG](https://github.com/nodejs/release) - `npm@9.x` will be set to the `latest` dist-tag (becoming the latest, maintained version of `npm`) - A PR will be opened to land `npm@9.x` in `nodejs/node`'s `main` branch (exposing experimental/nightly users to this latest version) - **Wednesday Dec. 7th** (~4 weeks after GA) - A PR will be opened to backport `npm@9.x` in `node@19` - **Wednesday Jan. 18th** (~6 weeks after `node@19` backport) - A PR will be opened to backport `npm@9.x` in `node@18` ### ⚠️ Notable Breaking Changes * the compatible semver ranges of `node` have been updated to: `^14.17.0 || ^16.13.0 || >=18.0.0` * `npm` will no longer attempt to modify ownership of files it creates * the presence of auth related settings that are not scoped to a specific registry found in a config file is no longer supported and will throw errors * `login`, `adduser`, and `auth-type` changes - legacy auth types `sso`, `saml` & `legacy` have been consolidated into `"legacy"` - `auth-type` defaults to `"web"` - `login` and `adduser` are now separate commands that send different data to the registry. - `auth-type` config values `web` and `legacy` only try their respective methods, npm no longer tries them all and waits to see which one doesn't fail. * `npm pack` now follows a strict order of operations when applying ignore rules. If a `files` array is present in the `package.json`, then rules in `.gitignore` and `.npmignore` files from the root will be ignored. * links generated from git urls will now use `HEAD` instead of `master` as the default ref * `timing` and `loglevel` changes - `timing` has been removed as a value for `--loglevel` - `--timing` will show timing information regardless of `--loglevel`, except when `--silent` * `--timing` file changes: - When run with the `--timing` flag, `npm` now writes timing data to a file alongside the debug log data, respecting the `logs-dir` option and falling back to `<CACHE>/_logs/` dir, instead of directly inside the cache directory. - The timing file data is no longer newline delimited JSON, and instead each run will create a uniquely named `<ID>-timing.json` file, with the `<ID>` portion being the same as the debug log. - Finally, the data inside the file now has three top level keys, `metadata`, `timers`, and `unfinishedTimers` instead of everything being a top level key. * `npm` now outputs some json errors on stdout. Previously `npm` would output all json formatted errors on stderr, making it difficult to parse as the stderr stream usually has logs already written to it. In the future, `npm` will differentiate between errors and crashes. Errors, such as `E404` and `ERESOLVE`, will be handled and will continue to be output on stdout. In the case of a crash, `npm` will log the error as usual but will not attempt to display it as json, even in `--json` mode. Moving a case from the category of an error to a crash will not be considered a breaking change. For more information see npm/rfcs#482. * deprecate boolean install flags in favor of `--install-strategy` * deprecate `--global-style`, `--global` now sets `--install-strategy=shallow` * deprecate `--legacy-bundling`, now sets `--install-strategy=nested` * `npm config set` will no longer accept deprecated or invalid config options * `install-links` config defaults to `"true"` * `node-version` config has been removed * `npm-version` config has been removed * `npm access` subcommands have been renamed * `npm birthday` has been removed * `npm set-script` has been removed * `npm bin` has been removed (use `npx` or `npm exec` to execute binaries) ### Notable Features * [`a09e19d`](https://github.com/npm/cli/commit/a09e19d88f046e54e8d75343883635a1bd056310) [#5696](https://github.com/npm/cli/pull/5696) new `npm config fix` command (@nlf) * [`3445da0`](https://github.com/npm/cli/commit/3445da0138f9eed9d73d2b3f5f451fcc1fa2e3fe) `npm` timings are now written alongside debug log files (@lukekarrys) * [`6ee5b32`](https://github.com/npm/cli/commit/6ee5b320d2eab58c18d50b861b3cfabe7f24124a) query: display `queryContext` in results (@nlf) * [`314311c`](https://github.com/npm/cli/commit/314311c61b8f341715c168199d52976ee3237077) [#5550](https://github.com/npm/cli/pull/5550) separate `login`/`adduser` & remove unnecessary auth types (@wraithgar) * [`de2d33f`](https://github.com/npm/cli/commit/de2d33f3ed42e187803bdd31db4f7a12f08f353c) add `--install-strategy=hoisted|nested|shallow`, deprecate `--global-style`, `--legacy-bundling` (#5709) (@fritzy) ### Notable Bug Fixes * [`e4e8ae2`](https://github.com/npm/cli/commit/e4e8ae20aef9e27e57282e87e8757d5b364abb39) `npm pack` should obey `foregroundScripts` (@winterqt) * [`07fabc9`](https://github.com/npm/cli/commit/07fabc93007495f0926f4dd24b4350c07d92887d) [#5633](https://github.com/npm/cli/pull/5633) `npm link` should override `--install-links=true` (@fritzy) * [`0d90a01`](https://github.com/npm/cli/commit/0d90a011fff411c878ba4b44582f14ef7dbdceb1) [#5480](https://github.com/npm/cli/pull/5480) audit: add a condition to allow third-party registries returning E400 (@juanheyns, Juan Heyns) * [`fc82298`](https://github.com/npm/cli/commit/fc8229824fedcd6ba79608b854e97e30d54958f4) [#5295](https://github.com/npm/cli/pull/5295) `npm hook ls` duplicates hook name prefixes (@gennadiygashev) For more information about this release, check out the GitHub [release notes](hhttps://github.com/npm/cli/releases/tag/v9.0.0).