npm 5 有了很大的进步，在几乎所有常见的情况下显著地改进了其性能，修复了很多由架构导致的旧的错误，使其更稳定和具有更好的容错性。这对于需要一致性/安全保证的用户是个好消息，新版还为 git 依赖提供了语义化支持。
现有的 npm 缓存将不再使用：您将不得不重新下载全部缓存的软件包。没有任何工具或意图重新使用旧的缓存 (#15666)
不要再使用大写的 npm（npm will now scold you if you capitalize its name. seriously it will fight you.）
--save by default now。另外，除非
package-lock.json 将会自动创建 (#15666)
user/repo#semver:^1.2.3，Git 依赖支持语义化 (#15308) (#15666) (@sankethkatta)
移除 Stub 文件 (#16204) (@watilde)
_token couchToken 已被移除 (#12986)
npm install ./packages/subdir will now create a symlink instead of a regular installation.
file://path/to/tarball.tgz will not change – only directories are symlinked. (#15900)
Git dependencies with
prepare scripts will have their
devDependencies installed, and
npm install run in their directory before being packed.
npm cache commands have been rewritten and don’t really work anything like they did before. (#15666)
--cache-max have been deprecated. (#15666)
Running npm while offline will no longer insist on retrying network requests. npm will now immediately fall back to cache if possible, or fail. (#15666)
package locks no longer exclude
optionalDependencies that failed to build. This means package-lock.json and npm-shrinkwrap.json should now be cross-platform. (#15900)
If you generated your package lock against registry A, and you switch to registry B, npm will now try to install the packages from registry B, instead of A. If you want to use different registries for different packages, use scope-specific registries (
npm config set @myscope:registry=https://myownregist.ry/packages/). Different registries for different unscoped packages are not supported anymore.
Shrinkwrap and package-lock no longer warn and exit without saving the lockfile.
Local tarballs can now only be installed if they have a file extensions
A new loglevel,
notice, has been added and set as default.
One binary to rule them all:
./cli.js has been removed in favor of
./bin/npm-cli.js. In case you were doing something with
./cli.js itself. (#12096) (@watilde)