deps: upgrade npm to 12.0.0-pre.1#64096
Open
npm-cli-bot wants to merge 1 commit into
Open
Conversation
Collaborator
|
Review requested:
|
|
NOT FOR MERGING CI Test only |
Contributor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains changes from:
npm@12.0.0-pre.0.0npm@12.0.0-pre.112.0.0-pre.0.0
12.0.0-pre.0.0 (2026-05-20)
npm sbom --sbom-format=cyclonedxnow reports thenamefield from each package'spackage.jsoninstead of the on-disk directory name. Thename,bom-ref, andpurlof the root component and of aliased dependencies may change.man npm-installwill no longer work, butnpm help installis unaffected.npm pkgoutput is no longer forced to json. This means you can get single values without having to worry about wrapping of the values. It also outputs non-json content more similarly tonpm view.npm shrinkwrapis removed, theshrinkwrapconfig alias is removed, andnpm-shrinkwrap.jsonis no longer loaded or honored at the project root or from inside dependency tarballs. Rename project-rootnpm-shrinkwrap.jsontopackage-lock.json; usebundleDependenciesif you need to ship a locked dependency tree.npm packandnpm publishhave changed. They are now always consistent, and in the same format.star,starsandunstarcommands have been removednpm addusercommand has been removed. Create and manage user accounts on the npm website, and usenpm loginto authenticate on the command line.Features
254809e#9201 npm stage (#9201) (@reggi, @Copilot)cf94dbe#9248 add permissions support to trust commands (#9248) (@reggi, @Copilot)e0f12f7#9348 add allow-git/allow-file/allow-directory/allow-remote configs (@owlstronaut)916cb4b#9287 add allow-directory, allow-file, and allow-remote (#9287) (@wraithgar)2e5dcad#9262 drop npm-shrinkwrap.json support (@owlstronaut)2397196#9265 Remove Twitter and Freenode profile fields (@owlstronaut)738be10#9196 remove star commands (#9196) (@wraithgar)db7c1f8#9163 adduas alias forupdatecommand (#9163) (@Ausoj)45e44dd#9228 adds a backport script (@owlstronaut)Bug Fixes
2a13550#9380 key stage download --json output by package name (#9380) (@reggi, @Copilot)ca585c8#9368 allow min-release-age in npmrc to coexist with --before (@raazkhnl)f550eb4#9348 refactor #failureNode, adjust tests and safety (@owlstronaut)1f17566#9348 allow-remote=none does not block registry tarballs (@owlstronaut)70af7b3#9327 remove settings (#9327) (@owlstronaut)d623988#9311 sbom: dedupe per-node dependsOn / relationships (#9311) (@mikaelkristiansson)d36945d#9160 do not unwrap single-item arrays in --json output (@yetanotheraryan)faf7348#9284 align CycloneDX SBOM component names with SPDX (#9284) (@cyphercodes, @cyphercodes)e20424b#9035 don't install man pages in system locations (@owlstronaut)01d9acd#9269 pkg: output like npm view does, do not force json output (@wraithgar)27567ab#9257 ignore intended error code (@owlstronaut)4ef5b6e#9039 stop resolving node path via whichnode (@owlstronaut)2e9b26e#9247 sync json output of pack and publish (#9247) (@wraithgar)7357d7f#9036 remove npm adduser command (@owlstronaut)Documentation
c97b39b#9363 add example to optionalDependencies section (#9363) (@verifizieren)6704ab2#9335 npm view with json outputs array docs update (#9335) (@yetanotheraryan)Dependencies
d151521#9382socks@2.8.9a77416e#9382lru-cache@11.5.0b2717e4#9382ip-address@10.2.01c4a796#9382brace-expansion@5.0.6e36a4e3#9382bin-links@6.0.291bd674#9382tar@7.5.1566c7ff1#9382semver@7.8.0514c71b#9382hosted-git-info@9.0.3fbe1dd0#9316socks@10.1.1af65766#9316ip-address@10.1.137bd0c6#9316cidr-regex@5.0.55af02ec#9270lru-cache@11.3.5799866f#9270node-gyp@12.3.079d394e#9270is-cidr@6.0.49669d31#9207@sigstore/protobuf-specs@0.5.1b09a5ac#9207tinyglobby@0.2.16150231d#9207picomatch@4.0.4413e0a0#9207lru-cache@11.3.36faa25e#9207diff@8.0.487bb9d0#9207minimatch@10.2.52501dd8#9207tar@7.5.13ccce5f6#9207minipass-flush@1.0.6Chores
f502c4f#9382 dev dependency updates (@owlstronaut)4259e57#9316 dev dependency updates (@owlstronaut)d68bd36#9317 add cli-triage team as codeowner (#9317) (@owlstronaut)b9332e6#9270 dev dependency updates (@owlstronaut)cc468a8#9269 refactor tests (@wraithgar)2ca36c4#9261 fixed non-functional typos throughout the codebase (@opensourcezeal)8131de4#9239 add action permission for backport workflow (@owlstronaut)6df5f91#9232 backports can trigger CI (@owlstronaut)07552f5#9224 don't run npm update in CI (@owlstronaut)05dbba5#9195 enable prerelease mode (#9195) (@wraithgar)@npmcli/arborist@10.0.0-pre.0.0@npmcli/config@11.0.0-pre.0.0libnpmdiff@8.1.6-pre.0.0libnpmexec@10.2.6-pre.0.0libnpmfund@7.0.20-pre.0.0libnpmpack@10.0.0-pre.0.0libnpmpublish@11.2.0-pre.0.0libnpmversion@9.0.0-pre.0.012.0.0-pre.1
12.0.0-pre.1 (2026-06-19)
npm inithas been changed from "ISC" to an empty string. If not set, the license field will be omitted from new packages.npmnow supports node^22.22.2 || ^24.15.0 || >=26.0.0Features
ce7681f#9496 packageExtensions for root-owned dependency manifest repairs (#9496) (@manzoorwanijk)1db885c#9439 native dependency patching (npm patch add/commit/update/ls/rm) (#9439) (@manzoorwanijk)fc80bb3#9234 remove default license for npm init (@owlstronaut)be8053c#9544 warn when min-release-age blocks an audit fix (#9544) (@JamieMagee)18eb967#9559 bump to new node engine range (@owlstronaut)c3e1a71#9532 add min-release-age-exclude config (@JamieMagee, @caseyjhol)5cd5150#9424 default-deny install scripts (allowScripts opt-in) [v12] (@JamieMagee)64e3f79#9480 allowScripts tooling and inBundle hardening (#9480) (@JamieMagee)caa3295#9466 default allow-git and allow-remote to none (@owlstronaut)f2e4a28#9351 add a global npmignore file (#9351) (@ljharb)c9be2d1#9153 publish --access=private alias for restricted (#9153) (@reggi, @Copilot)7068d42#9360 Phase 1 ofallowScriptsopt-in install-script policy (#9360) (@JamieMagee)979518d#9276 error on unknown configs, flags, and abbreviations (#9276) (@owlstronaut)Bug Fixes
e96a7de#8703 Preserve https protocol when working with git (#8703) (@oldium)a847d28#9575 patch: warn whenpatch update --totargets an uninstalled version (#9575) (@manzoorwanijk)62b0694#9576 patch: explain out-of-sync lockfile after --ignore-patch-failures (#9576) (@manzoorwanijk)5ddf6cc#9567 patch: keep the update marker on a no-op commit so a retry finalizes (#9567) (@manzoorwanijk)fc3ef5a#9559 adapt to @npmcli/run-script@11 breaking changes (@owlstronaut)abf78b3#9540 match dotted and versioned args in approve-scripts/deny-scripts (@owlstronaut)f6270d1#9531 emit valid JSON from approve-scripts/deny-scripts --json (@owlstronaut)0e55f97#9492 pass script-shell to publish lifecycle hooks (@Zelys-DFKH)2cbb13b#9490 recognize allowScripts for local link targets (#9490) (@cyphercodes, @cyphercodes)bf623e0#9473 validate registry path for allow-remote tarballs (@Abhinav-143x)6be874b#9479 list pending scripts in approve-scripts when ignore-scripts is set (#9479) (@JamieMagee)6603b2c#9469 suggest --allow-scripts for global installs in unreviewed-scripts warnings (#9469) (@JamieMagee)fe820b6#9442 invalid issue template YAML indentation (#9442) (@fallintoplace)fe41ae7#9404 show full parent command path in subcommand usage errors (#9404) (@shaanmajid)75bf7de#9456 respect allowScripts policy in prune, dedupe, uninstall, audit fix, and link (@JamieMagee)6efac6e#9453 config: clarify --all help so it's accurate for approve-scripts and deny-scripts (@JamieMagee)b97edc0#9430 audit: don't apply min-release-age before filter when verifying installed signatures (@JamieMagee)080e3b2#9425 block forbidden keys in Queryable setter to prevent prototype pollution (@12122J, @claude)c5292fa#9422 use prerelease strategy without a bug (@owlstronaut)33aebaa#9410 fix typo of fullMetadata (@owlstronaut)2a03860#9267 run root preinstall before reify (@owlstronaut)c0fc549#9372 config: pause progress spinner during interactive editor spawn (#9372) (@Zelys-DFKH, @claude)Documentation
357e8cd#9520 approve-scripts only throws EGLOBAL when run with -g (@JamieMagee)bcf01c6#9505 clarify package.json override value specs (#9505) (@ded-furby)455aa4a#9401 use the latest version for global update and outdated'swanted(#9401) (@liangmiQwQ)aac80dc#9470 update minimum npm required for npm trust (@meeech)d124c08#9385 Documentnpm_old_versionandnpm_new_versionenvironment variables (#9385) (@36degrees)Dependencies
9cbba72#9579npm-profile@13.0.1d4e0a70#9559@tufjs/repo-mock@5.0.03ef66bb#9559 bundle arborist runtime deps for bootstrap5dce6fb#9559npm-packlist@11.2.0ad05528#9559@npmcli/git@8.0.0cc45055#9559@npmcli/node-gyp@6.0.0a12e2c8#9559@npmcli/name-from-folder@5.0.0cc96d57#9559@npmcli/installed-package-contents@5.0.03dc18e5#9559@npmcli/git@8.0.0428afa6#9559sigstore@5.0.095ed19c#9559 regenerate bundled dependenciesb62db95#9559bin-links@7.0.02f5da83#9559@npmcli/fs@6.0.0370f9c6#9559node-gyp@13.0.0e459d7a#9559which@7.0.05032af3#9559validate-npm-package-name@8.0.013d97ac#9559tar@7.5.161502286#9559ssri@14.0.068eb39c#9559semver@7.8.43484d7f#9559read@6.0.021df0ab#9559proc-log@7.0.08f85646#9559parse-conflict-json@6.0.0a44c1cf#9559pacote@22.0.0171bba3#9559npm-user-validate@5.0.01f9c567#9559npm-registry-fetch@20.0.11fd247a#9559npm-profile@13.0.0998ff1d#9559npm-pick-manifest@12.0.0d80859a#9559npm-package-arg@14.0.05e1d513#9559npm-install-checks@9.0.0faf97e5#9559npm-audit-report@8.0.0471309f#9559nopt@10.0.140395b8#9559make-fetch-happen@16.0.130e89d9#9559json-parse-even-better-errors@6.0.0d44db96#9559is-cidr@7.0.0350fb18#9559init-package-json@9.0.0406820a#9559ini@7.0.0d867351#9559hosted-git-info@10.1.166d46bc#9559cacache@21.0.10d15aec#9559abbrev@5.0.09bbdefb#9559@sigstore/tuf@5.0.09d13ebf#9559@npmcli/run-script@11.0.027c4dcc#9559@npmcli/redact@5.0.0f0eaef3#9559@npmcli/promise-spawn@10.0.00be6ae2#9559@npmcli/package-json@8.0.0f86a019#9559@npmcli/metavuln-calculator@10.0.04d234b2#9559@npmcli/map-workspaces@6.0.0d28783e#9420undici@6.26.07f6c6ef#9420sigstore@4.1.1ee61b6e#9420lru-cache@11.5.1d5ddef2#9420@sigstore/verify@3.1.111e7ac7#9420@sigstore/core@3.2.111cd66e#9420@npmcli/agent@4.0.28be4c04#9420semver@7.8.1577d61d#9420make-fetch-happen@15.0.6Chores
059c06e#9560 add web-login proxy doneUrl regression for npm-profile fix (#9560) (@manzoorwanijk)1453954#9559nock@14.0.0(@owlstronaut)0323f2d#9559 template-oss-apply (@owlstronaut)ee3d87f#9559@npmcli/template-oss@5.1.1(@owlstronaut)d25a179#9559 template-oss-apply (@owlstronaut)acdd6d5#9559 bumping @npmcli/template-oss from 4.29.0 to 5.1.0 (@owlstronaut)4e2496a#9513 update issue templates - better language (@owlstronaut)7a997ac#9512 update issue templates (#9512) (@owlstronaut)da63c79#9420 dev dependency updates (@owlstronaut)5fc9bc0#9393 sanitize newlines in flags table default and type values (#9393) (@reggi, @Copilot)@npmcli/arborist@10.0.0-pre.1@npmcli/config@11.0.0-pre.1libnpmaccess@11.0.0-pre.0libnpmdiff@9.0.0-pre.0libnpmexec@11.0.0-pre.0libnpmfund@8.0.0-pre.0libnpmorg@9.0.0-pre.0libnpmpack@10.0.0-pre.1libnpmpublish@12.0.0-pre.0libnpmsearch@10.0.0-pre.0libnpmteam@9.0.0-pre.0libnpmversion@9.0.0-pre.1