NPM Inc. is offering version 4.0.0 of the NPM package manager for JavaScript, while NPM 2 and 3 are set for maintenance mode.
The 4.0.0 version offers several breaking changes but is not considered as dramatic as its predecessor, having less impact on day-to-day operations than version 3, according to NPM. Both version 2 and 3 will move to the background with the release of NPM 4.
"We will no longer be updating those release branches with anything except critical bug fixes and security patches," said NPM's Kat Marchán, a CLI engineer. "We're still committed to NPM 2 and NPM 3 working, and NPM 2 remains our LTS (long term support) version, because both of these are going to be used by Node 4 and Node 6 respectively." NPM 4.0.0 is scheduled to become the default latest version in two weeks.
Among breaking changes in version 4.0.0 is the rewriting of npm search, for searching for packages on the NPM registry, to stream results. "Let's face it -- npm search simply doesn't work anymore," said Marchán. "Apart from the fact that it grew slower over the years, it's reached a point where we can no longer fit the entire registry metadata in memory, and anyone who tries to use the command now sees a really awful memory overflow crash from node."
Other breaking changes include NPM scripts no longer prepending the path of the node executable used to run NPM before running scripts, the removal of the npat config setting, and deprecation of the prepublish lifecycle script, which is replaced by a prepare script. Discontinuation of support for partial shrinkwraps and removal of npm tag after a deprecation cycle are considered breaking changes as well; the npm dist-tag capability should be used instead of npm tag.
NPM anticipates an accelerated release schedule for NPM now that the CLI team is finished focusing on sustaining work, said Marchán. "We're planning a major overhaul of shrinkwrap as well as various speed and usability fixes for that release." NPM shrinkwrap locks down the versions of package dependencies so that developers can control which versions of each dependency will be used when a package is installed. NPM 3, released a little more than a year ago, offered a new installer and significant structural changes to how NPM set up a tree, Marchán said.
Earlier this year, NPM came under fire when the removal of a small JavaScript package from the NPM registry impacted other packages that depended on it. NPM said the situation was rectified partially within minutes and fully within 2.5 hours. "Within a week of the event, we updated our policy on contributors' un-publishing their modules and we disabled the npm unpublish command for a package if it's been up for more than 24 hours," Marchán said.