Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deps: upgrade npm to 7.21.0 #39813

Closed
wants to merge 1 commit into from
Closed

deps: upgrade npm to 7.21.0 #39813

wants to merge 1 commit into from

Conversation

npm-robot
Copy link
Contributor

@npm-robot npm-robot commented Aug 19, 2021

v7.21.0 (2021-08-19)

FEATURES

BUG FIXES

DEPENDENCIES

  • df57f0d53 @npmcli/run-script@1.8.6
  • 8183976cf normalize-package-data@3.0.3:
    • fix: account for "licence" as spelling variant
  • f07772401 init-package-json@2.0.4
  • 991a3bd39 read-package-json@4.0.0
  • e9e5ee560 @npmcli/arborist@2.8.2:
    • fix: treat top-level global packages as "top" nodes
    • fix: load global symlinks implicitly as file: deps
    • fix(reify): debug crash when extracting into symlink
    • fix: node_modules must be a directory
    • fix: make Node.children() a case-insensitive Map
    • fix(reify): verify existing deps in nm are dirs
  • b6f40b5f8 tar@6.1.10:
    • fix: prune dirCache properly for unicode, windows
    • fix: reserve paths properly for unicode, windows
    • fix: prevent path escape using drive-relative paths
    • fix: drop dirCache for symlink on all platforms
  • 218cacadc is-core-module@2.6.0
  • 7ac621cd1 smart-buffer@4.2.0
  • 94f92de13 make-fetch-happen@9.0.5
  • 71cdfd898 spdx-license-ids@3.0.10:
    • update license list to v3.14

v7.20.6 (2021-08-12)

DEPENDENCIES

  • 5bebf280f tar@6.1.8
    • fix: reserve paths case-insensitively
  • 5d89de44d tar@6.1.7:
    • fix: normalize paths on Windows systems
  • a1bdbea97 #3569 remove byte-size (@wraithgar)
  • 61782fa85 @npmcli/map-workspaces@1.0.4:
    • fix: better error message for duplicate workspace names
  • b88f770fa @npmcli/arborist@2.8.1:
    • #3632 Fix "cannot read property path of null" error in 'npm dedupe'
    • fix(shrinkwrap): always set name on the root node

DOCUMENTATION

v7.20.5 (2021-08-05)

DEPENDENCIES

  • 44377738e graceful-fs@4.2.8
    • fix: start retrying immediately, stop after 60 seconds

v7.20.4 (2021-08-05)

BUG FIXES

DEPENDENCIES

  • 15fae4941 tar@6.1.6:
    • fix: properly handle top-level files when using strip
    • Avoid an unlikely but theoretically possible redos
    • WriteEntry backpressure
    • fix(unpack): always resume parsing after an entry error
    • fix(unpack): fix hang on large file on open() fail
    • fix: properly prefix hard links
  • 745326de0 libnpmexec@2.0.1:
    • Clear progress bar which overlays confirm prompt
  • e82bcd4e8 graceful-fs@4.2.7:
    • fix: start retrying immediately, stop after 10 attempts

@nodejs-github-bot nodejs-github-bot added dont-land-on-v12.x fast-track PRs that do not need to wait for 48 hours to land. needs-ci PRs that need a full CI run. npm Issues and PRs related to the npm client dependency or the npm registry. labels Aug 19, 2021
@github-actions
Copy link
Contributor

Fast-track has been requested by @nodejs-github-bot. Please 👍 to approve.

@npm-robot
Copy link
Contributor Author

Supersedes #39681

@nodejs-github-bot
Copy link
Collaborator

Copy link
Contributor

@MylesBorins MylesBorins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nodejs-github-bot
Copy link
Collaborator

lpinca pushed a commit that referenced this pull request Aug 20, 2021
PR-URL: #39813
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Rich Trott <rtrott@gmail.com>
@lpinca
Copy link
Member

lpinca commented Aug 20, 2021

Landed in 248f4c3.

@targos
Copy link
Member

targos commented Aug 22, 2021

@nodejs/npm this doesn't land cleanly on v16.x-staging. Can you please backport (if possible, in a way that future updates can be cherry-picked from master)?

MylesBorins added a commit that referenced this pull request Aug 23, 2021
PR-URL: #39813
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Rich Trott <rtrott@gmail.com>
@MylesBorins
Copy link
Contributor

MylesBorins commented Aug 23, 2021

@targos I've landed the change in cce95c4

Will double check with team to ensure it is correct (I'm running the update script to ensure the output is expected / consistent)

edit: I've manually confirmed that the release is exactly what is expectd 🎉

@targos
Copy link
Member

targos commented Aug 23, 2021

@MylesBorins awesome, thanks!

@redick-simon
Copy link

Hi team,
When we can expect this to be shipped with node 16.x, current npm 7.20.3 has some vulnerability issue due to tar 6.1.0

Please let me know in case we can expect a node release in this week.

Thanks!!

@targos
Copy link
Member

targos commented Aug 25, 2021

Expect a release in the next 24 hours: #39875

@Trott
Copy link
Member

Trott commented Aug 25, 2021

Hi team,
When we can expect this to be shipped with node 16.x, current npm 7.20.3 has some vulnerability issue due to tar 6.1.0

Please let me know in case we can expect a node release in this week.

Thanks!!

@redick-simon npm install -g npm will install the updated version on your system. You don't need to wait for a Node.js release to get the update. (You might already know this and you want/need a release with it for a specific use case, in which case this comment is for the benefit of other readers/observers.)

@redick-simon
Copy link

Thanks @Trott ! Actually I'm waiting for node docker image free of tar vulnerability issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
fast-track PRs that do not need to wait for 48 hours to land. needs-ci PRs that need a full CI run. npm Issues and PRs related to the npm client dependency or the npm registry.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants