Update npm to 2.x in Node 0.10 #5570
Comments
|
/cc @nodejs/lts The update to 1.4.29 happened about 4 months ago when we were still figuring out the support system we were going to use for LTS releases. At the current moment 0.10 is in Maintenance mode and will be receiving only critical bugs fixes and critical security fixes as mentioned in our lts guide 0.10 is scheduled to end Maintenance in October of this year. At this point I think it is fairly safe to assume that any changes to npm would fall outside of the current support offered for v0.10. It is unfortunate that the message output by npm is not in line with the current plan... but I doubt we would do any updates to npm on v0.10 again. I'm going to leave this open for a couple days so people can chime in, but will likely close this as a wont-fix Monday or Tuesday unless there are others from @nodejs/lts who feel otherwise |
|
I see, thanks for the explanation. In that case changing this message so that it doesn't lie might be considered a bug fix but since it's not security-related I'd understand if you don't want to land it (OTH, changing it would be trivial ;)). |
mscdex
added
npm
|
@mgol It is pretty unfortunate to have the wrong messaging... but fixing that would require a new npm release, and for that npm release to be downstreamed to v0.10 I don't think it is likely to happen edit: I was wrong 😄 |
|
If you don't plan future npm updates, you can change it in the Node repo as Michał Gołębiowski |
|
Related: #3639. |
|
@ChALkeR The PR linked was released in Node 0.10.41 on Dec 4, 2015, over a month after Node 5.0.0 was released. I thought LTS rules were already established then? |
|
I guess we should /cc @nodejs/lts and @othiym23 for that. |
|
ping @nodejs/npm, I've also been asking for an update on 0.12 which has an older v2 Do we have a doc somewhere on how to properly do this upgrade ourselves without messing things up? I've not been brave enough to dive in there but would really like to be able to get both 0.10 and 0.12 updated. |
|
Yeah, looking at the 1.4.29 PR & related discussions, while npm@2 contains minor breaking changes it also contains security fixes; npm@1 may e.g. leak user credentials on publish which is serious. I think it might be treated as a security fix with minor, unavoidable, breaking changes. It'd be good to avoid the Node 0.8 fiasco where an old npm was never upgraded after all, leaving users with a broken & vulnerable copy. |
|
Say the word and you'll have piping hot PRs containing the newest |
OOoooops
@rvagg It's documented on the npm wiki, and I've done it before. (I forget when, a while ago) I think the best way to go about this is to have npm PRs and then create RCs. cc @nodejs/npm if it's not a bother, would you mind doing the PRs? Whether you do official releases before or not is up to you. I am ok having an RC for testing first before having an official npm release of 1.x if that is more favorable. |
Am I missing something? Why would we need one more npm release in 1.x branch? |
|
Sure, @Fishrock123, I'll assemble those PRs today. To be clear, though, those are both using |
|
Doh. @othiym23 yes, I was in error. |
|
Node.js v0.10.44 is out with npm v2.15.1. |
node -vv0.10.43
uname -aoutput, or if Windows, version and 32-bit or64-bit
Darwin mgol-mbpro.local 15.3.0 Darwin Kernel Version 15.3.0: Thu Dec 10 18:40:58 PST 2015; root:xnu-3248.30.4~1/RELEASE_X86_64 x86_64
npm
Since 2-3 0.10.x versions the included npm 1.4.29 on each operation displays a message:
The message claims that the next version of 0.10 will include the upgrade to npm 2; however, there have already been a few versions displaying this message so without the promised update.
cc @othiym23
The text was updated successfully, but these errors were encountered: