npm 4.0 Deprecates Prepublish Lifecycle Script

Npm has released version 4.0.0, its first semver major release since the release of npm 3 in 2015.

While still formally a trial release, v4 brings some breaking changes, including a rewritten npm search, as well as deprecated prepublish and changed behaviour for npm scripts.

Kat Marchán, software engineer for npm, shared the update on Github, saying that while npm's last major release "had some pretty serious impact" 4.0 is expected to have a much smaller impact on developers day-to-day use, with changes mostly limited to the command-line interface, with little impact on the larger ecosystem.

Marchán also mentions that the latest release is "the end of an era," with both npm 2.x and 3.x being moved into maintenance and no longer updated "with anything except critical bugfixes and security patches."

On the subject of npm search, Marchán said:

Let's face it -- npm search simply doesn't work anymore. Apart from the fact that it grew slower over the years, it's reached a point where we can no longer fit the entire registry metadata in memory, and anyone who tries to use the command now sees a really awful memory overflow crash from node.

Improving the experience for developers, Marchán says it will be some time before npm search can be overhauled altogether but that the team has rewritten the previous implementation in order to "stream results on the fly, from both the search endpoint and a local cache."

4.0 also deprecates the prepublish lifecycle script in npm, replacing it with a prepare script. Marchán told InfoQ "The new script works the exact same way, and a new prepublishOnly event only runs when someone does npm publish.

This breaking change only affects individual users publishing new versions of their own packages, not the larger ecosystem of over 350,000 packages already published to the npm registry, Marchán says.

The 4.0 release for npm also makes partial shrinkwraps a thing of the past for users. npm shrinkwrap  allows users to lock down the entire dependency tree to use specific versions of each package, so that two builds done by two different people, or at two different times.

Marchán said:

if you have an npm-shrinkwrap.json in your project, npm will no longer install anything that isn't explicitly listed there, unless it's a devDependency. This will open doors to some nice optimisations and make use of npm shrinkwrap just generally smoother by removing some awful corner cases. We will also skip devDependency installation from package.json if you added devDependencies to your shrinkwrap by using npm shrinkwrap --dev.

There is not only breaking changes in npm's latest major release, npm has started sending Npm-Scope and Npm-In-CI headers in outgoing requests, allowing registries to implement user/scope-aware features and services.

Officially, 4.0 will become npm's latest release next week, with 4.0.1 due to follow shortly after with a few minor improvements.

The npm team recommends that developers regularly upgrade to the latest version of npm, but will continue to maintain a version that Node can use for default distribution.