Releases: npm/cli
Releases · npm/cli
v11.17.0
11.17.0 (2026-06-11)
Features
ae8ac4e#9534 add min-release-age-exclude config (@JamieMagee, @caseyjhol)8ff3e48#9483 allowScripts tooling and inBundle hardening (#9483) (@github-actions[bot], @JamieMagee)
Bug Fixes
847cdf8#9541 match dotted and versioned args in approve-scripts/deny-scripts (@owlstronaut)d99f7cb#9535 emit valid JSON from approve-scripts/deny-scripts --json (@owlstronaut)351a309#9499 pass script-shell to publish lifecycle hooks (#9499) (@github-actions[bot])4fa81df#9497 recognize allowScripts for local link targets (#9497) (@github-actions[bot], @cyphercodes, @cyphercodes)95cf2e9#9489 validate registry path for allow-remote tarballs (@Abhinav-143x)9dd219b#9462 respect allowScripts policy in prune, dedupe, uninstall, audit, and link (#9462) (@github-actions[bot], @JamieMagee)cd8d18a#9482 list pending scripts in approve-scripts when ignore-scripts is set (#9482) (@github-actions[bot], @JamieMagee)c14e87c#9481 suggest --allow-scripts for global installs in unreviewed-scripts warnings (#9481) (@github-actions[bot], @JamieMagee)7ade52e#9465 invalid issue template YAML indentation (#9465) (@github-actions[bot], @fallintoplace)c069622#9464 show full parent command path in subcommand usage errors (#9464) (@owlstronaut)1bb62bb#9454 config: clarify --all help so it's accurate for approve-scripts and deny-scripts (@JamieMagee)84eeb5f#9431 audit: don't apply min-release-age before filter when verifying installed signatures (@JamieMagee)3bd3377#9426 block forbidden keys in Queryable setter to prevent prototype pollution (@12122J, @claude)
Documentation
a86a7a9#9522 approve-scripts only throws EGLOBAL when run with -g (@JamieMagee)693bb3d#9508 clarify package.json override value specs (#9508) (@github-actions[bot], @ded-furby)ccffe4a#9501 use the latest version for global update and outdated'swanted(#9501) (@github-actions[bot], @liangmiQwQ)66e97c2#9478 update minimum npm required for npm trust (@meeech)
Dependencies
bd09b87#9542postcss-selector-parser@7.1.495bfc4c#9542tinyglobby@0.2.178c0d5fd#9542tar@7.5.16967d377#9542semver@7.8.4cdaac1b#9542pacote@21.5.125c8a9e#9542node-gyp@12.4.0
Chores
Contributors
meeech, claude, and 9 other contributors
Assets 2
libnpmpack: v9.1.10
Contributors
rootvector2
Assets 2
libnpmfund: v7.0.24
Dependencies
- workspace:
@npmcli/arborist@9.8.0
libnpmexec: v10.3.0
10.3.0 (2026-06-11)
Features
8ff3e48#9483 allowScripts tooling and inBundle hardening (#9483) (@github-actions[bot], @JamieMagee)
Bug Fixes
1bb1b8c#9467 escape executable name in libnpmexec run-script (#9467) (@github-actions[bot], @rootvector2)
Dependencies
- workspace:
@npmcli/arborist@9.8.0
Contributors
JamieMagee and rootvector2
Assets 2
libnpmdiff: v8.1.10
Dependencies
- workspace:
@npmcli/arborist@9.8.0
config: v10.11.0
10.11.0 (2026-06-11)
Features
5f73e31#9539 differentiate GitHub Actions environments in user-agent (#9517) (@reggi, @Copilot)ae8ac4e#9534 add min-release-age-exclude config (@JamieMagee, @caseyjhol)
Bug Fixes
1bb62bb#9454 config: clarify --all help so it's accurate for approve-scripts and deny-scripts (@JamieMagee)
Contributors
reggi, JamieMagee, and caseyjhol
Assets 2
arborist: v9.8.0
9.8.0 (2026-06-11)
Features
ae8ac4e#9534 add min-release-age-exclude config (@JamieMagee, @caseyjhol)8ff3e48#9483 allowScripts tooling and inBundle hardening (#9483) (@github-actions[bot], @JamieMagee)
Bug Fixes
fc5573a#9530 keep nested file: deps and re-resolve changed git refs (#9530) (@github-actions[bot], @owlstronaut)b13ee4d#9511 arborist: honor allow-remote=root for root-direct remote tarballs (#9511) (@github-actions[bot], @manzoorwanijk)66408d7#9500 arborist: apply registry-tarball allow-remote exemption in linked strategy (#9500) (@github-actions[bot], @manzoorwanijk)4fa81df#9497 recognize allowScripts for local link targets (#9497) (@github-actions[bot], @cyphercodes, @cyphercodes)95cf2e9#9489 validate registry path for allow-remote tarballs (@Abhinav-143x)869cb9a#9485 arborist: link meta-only optional peers in linked strategy (@manzoorwanijk)d41a9e3#9484 arborist: clean up orphaned scoped store entries in linked strategy (@manzoorwanijk)39d034d#9455 sanitize package name in linked-strategy path construction (@owlstronaut)d59c964#9451 reject path traversal entries when inflating dependency shrinkwraps (@owlstronaut)c9045d5#9429 arborist: read install scripts from disk on lockfile installs instead of a sentinel (@JamieMagee)
Contributors
owlstronaut, JamieMagee, and 4 other contributors
Assets 2
v11.16.0
11.16.0 (2026-05-27)
Features
4b67f6e#9416 publish --access=private alias for restricted (#9416) (@github-actions[bot], @reggi, @Copilot)a10c7ca#9415 Phase 1 ofallowScriptsopt-in install-script policy (#9360) (#9415) (@owlstronaut, @JamieMagee)
Bug Fixes
1f7869b#9411 fix typo of fullMetadata (@owlstronaut)cde03ba#9390 config: pause progress spinner during interactive editor spawn (#9388) (@github-actions[bot], @Zelys-DFKH, @claude)
Documentation
c5e9d73#9390 Documentnpm_old_versionandnpm_new_versionenvironment variables (#9389) (@github-actions[bot], @36degrees)
Dependencies
cdd7bbc#9421undici@6.26.0fde87c9#9421sigstore@4.1.12779793#9421lru-cache@11.5.1dea702d#9421@sigstore/verify@3.1.14eab03f#9421@sigstore/core@3.2.174c7323#9421@npmcli/agent@4.0.2edc4ab3#9421semver@7.8.15f6ce33#9421make-fetch-happen@15.0.6
Chores
bd04976#9421 dev dependency updates (@owlstronaut)aeceb23#9407 sanitize newlines in flags table default and type values (#9407) (@reggi, @Copilot)- workspace:
@npmcli/arborist@9.7.0 - workspace:
@npmcli/config@10.10.0 - workspace:
libnpmdiff@8.1.9 - workspace:
libnpmexec@10.2.9 - workspace:
libnpmfund@7.0.23 - workspace:
libnpmpack@9.1.9 - workspace:
libnpmversion@8.0.4
Contributors
claude, 36degrees, and 4 other contributors
Assets 2
libnpmversion: v8.0.4
8.0.4 (2026-05-27)
Documentation
c5e9d73#9390 Documentnpm_old_versionandnpm_new_versionenvironment variables (#9389) (@github-actions[bot], @36degrees)
Chores
40fcab4#8991@npmcli/template-oss@4.29.0(@wraithgar)
Contributors
wraithgar and 36degrees
Assets 2
libnpmpack: v9.1.9
Dependencies
- workspace:
@npmcli/arborist@9.7.0