3.16.0 (2019-07-18)

Bug Fixes

• command: Bump minimum range of lodash, silence dumb 'security' warning (c405871)
• conventional-commits: Hard-pin lodash.template dependency to silence 'helpful' security warning (c54ad68)
• deps: Bump @evocateur/pacote (03e4797)
• deps: Update forked npm libs (4d67426)
• npm-conf: OTP should default to undefined, figgy pudding is very strict (2fa02a8)
• pack-directory: Bump npm-packlist + tar dependencies (59ebd19)
• package-graph: Flatten cycles to avoid skipping packages (#2185) (b335763)
• project: Ensure deprecated githubRelease config is also remapped from command.publish namespace (a3d264e), closes #2177
• publish: Add --graph-type option to control packages included in topological sort (#2152) (ae87669), closes #1437
• publish: Allow --no-verify-access to prevent checking for account-level 2FA (ce58d8f)
• publish: OTP cache should be seeded from conf value, not CLI directly (cf56622)
• publish: Propagate root license into custom publish directories (d410a58), closes #2157

Features

• bootstrap: Add --strict option to enable throwing when --hoist warns (#2140) (91437b5)
• deps: @octokit/plugin-enterprise-rest@^3.6.1 (74a3890)
• deps: @octokit/rest@^16.28.4 (5f09f50)
• deps: byte-size@^5.0.1 (ed51ddd)
• deps: conventional-recommended-bump@^5.0.0 (2a0ed60)
• deps: fs-extra@^8.1.0 (313287f)
• deps: get-port@^4.2.0 (778ae6a)
• deps: glob-parent@^5.0.0 (c6bc218)
• deps: globby@^9.2.0 (d9aa249)
• deps: import-local@^2.0.0 (14d2c66)
• deps: is-ci@^2.0.0 (ab2ad83)
• deps: load-json-file@^5.3.0 (3718cc9)
• deps: multimatch@^3.0.0 (968b0d7)
• deps: p-map@^2.1.0 (9e58394)
• deps: pify@^4.0.1 (f8ee7e6)
• deps: semver@^6.2.0 (d8016d9)
• deps: slash@^2.0.0 (bedd6af)
• deps: write-json-file@^3.2.0 (4fa7dea)
• listable: Output JSON adjacency list with --graph (9457a21), closes #1970
• otplease: Expose getOneTimePassword() helper (44b9f70)
• publish: Eager prompt for OTP when account-level 2FA is enabled (4f893d1)
• run-lifecycle: Upgrade npm-lifecycle@^3.1.0 (e015a74)