Releases: npm/cli
Releases · npm/cli
v11.16.0
11.16.0 (2026-05-27)
Features
4b67f6e#9416 publish --access=private alias for restricted (#9416) (@github-actions[bot], @reggi, @Copilot)a10c7ca#9415 Phase 1 ofallowScriptsopt-in install-script policy (#9360) (#9415) (@owlstronaut, @JamieMagee)
Bug Fixes
1f7869b#9411 fix typo of fullMetadata (@owlstronaut)cde03ba#9390 config: pause progress spinner during interactive editor spawn (#9388) (@github-actions[bot], @Zelys-DFKH, @claude)
Documentation
c5e9d73#9390 Documentnpm_old_versionandnpm_new_versionenvironment variables (#9389) (@github-actions[bot], @36degrees)
Dependencies
cdd7bbc#9421[email protected]fde87c9#9421[email protected]2779793#9421[email protected]dea702d#9421@sigstore/[email protected]4eab03f#9421@sigstore/[email protected]74c7323#9421@npmcli/[email protected]edc4ab3#9421[email protected]5f6ce33#9421[email protected]
Chores
bd04976#9421 dev dependency updates (@owlstronaut)aeceb23#9407 sanitize newlines in flags table default and type values (#9407) (@reggi, @Copilot)- workspace:
@npmcli/[email protected] - workspace:
@npmcli/[email protected] - workspace:
[email protected] - workspace:
[email protected] - workspace:
[email protected] - workspace:
[email protected] - workspace:
[email protected]
Contributors
claude, 36degrees, and 4 other contributors
Assets 2
libnpmversion: v8.0.4
8.0.4 (2026-05-27)
Documentation
c5e9d73#9390 Documentnpm_old_versionandnpm_new_versionenvironment variables (#9389) (@github-actions[bot], @36degrees)
Chores
40fcab4#8991@npmcli/[email protected](@wraithgar)
Contributors
wraithgar and 36degrees
Assets 2
libnpmpack: v9.1.9
Dependencies
- workspace:
@npmcli/[email protected]
libnpmfund: v7.0.23
Dependencies
- workspace:
@npmcli/[email protected]
libnpmexec: v10.2.9
10.2.9 (2026-05-27)
Bug Fixes
5000cbf#9409 exempt local project introspection from allow-directory (@owlstronaut)
Dependencies
- workspace:
@npmcli/[email protected]
Contributors
owlstronaut
Assets 2
libnpmdiff: v8.1.9
Dependencies
- workspace:
@npmcli/[email protected]
config: v10.10.0
Contributors
reggi, owlstronaut, and JamieMagee
Assets 2
arborist: v9.7.0
9.7.0 (2026-05-27)
Features
a10c7ca#9415 Phase 1 ofallowScriptsopt-in install-script policy (#9360) (#9415) (@owlstronaut, @JamieMagee)
Bug Fixes
d8a7803#9418 arborist: drop self-link materialization for undeclared workspaces (#9418) (@github-actions[bot], @manzoorwanijk)4d141a0#9417 skip hidden lockfile save on dry run (#9417) (@github-actions[bot], @puneetdixit200, @puneetdixit200)
Contributors
owlstronaut, JamieMagee, and 2 other contributors
Assets 2
v12.0.0-pre.0.0
12.0.0-pre.0.0 (2026-05-20)
⚠️ BREAKING CHANGES
- npm view --json now always returns an array.
npm sbom --sbom-format=cyclonedxnow reports thenamefield from each package'spackage.jsoninstead of the on-disk directory name. Thename,bom-ref, andpurlof the root component and of aliased dependencies may change.- npm no longer registers man pages with the system when installed globally.
man npm-installwill no longer work, butnpm help installis unaffected. - The
npm pkgoutput is no longer forced to json. This means you can get single values without having to worry about wrapping of the values. It also outputs non-json content more similarly tonpm view. npm shrinkwrapis removed, theshrinkwrapconfig alias is removed, andnpm-shrinkwrap.jsonis no longer loaded or honored at the project root or from inside dependency tarballs. Rename project-rootnpm-shrinkwrap.jsontopackage-lock.json; usebundleDependenciesif you need to ship a locked dependency tree.- The Twitter and Freenode profile fields have been removed from the npm registry. This means that users will no longer be able to set or view these fields in their npm profiles.
- npm will no longer attempt to resolve the path to node via whichnode. process.execPath is already set by Node to the resolved real path of the node binary, so the lookup was redundant. Scripts that expected npm to override process.execPath with a PATH-resolved (potentially symlinked) node path may be affected.
- the --json output of
npm packandnpm publishhave changed. They are now always consistent, and in the same format. - the
star,starsandunstarcommands have been removed - The
npm addusercommand has been removed. Create and manage user accounts on the npm website, and usenpm loginto authenticate on the command line.
Features
254809e#9201 npm stage (#9201) (@reggi, @Copilot)cf94dbe#9248 add permissions support to trust commands (#9248) (@reggi, @Copilot)e0f12f7#9348 add allow-git/allow-file/allow-directory/allow-remote configs (@owlstronaut)916cb4b#9287 add allow-directory, allow-file, and allow-remote (#9287) (@wraithgar)2e5dcad#9262 drop npm-shrinkwrap.json support (@owlstronaut)2397196#9265 Remove Twitter and Freenode profile fields (@owlstronaut)738be10#9196 remove star commands (#9196) (@wraithgar)db7c1f8#9163 adduas alias forupdatecommand (#9163) (@Ausoj)45e44dd#9228 adds a backport script (@owlstronaut)
Bug Fixes
2a13550#9380 key stage download --json output by package name (#9380) (@reggi, @Copilot)ca585c8#9368 allow min-release-age in npmrc to coexist with --before (@raazkhnl)f550eb4#9348 refactor #failureNode, adjust tests and safety (@owlstronaut)1f17566#9348 allow-remote=none does not block registry tarballs (@owlstronaut)70af7b3#9327 remove settings (#9327) (@owlstronaut)d623988#9311 sbom: dedupe per-node dependsOn / relationships (#9311) (@mikaelkristiansson)d36945d#9160 do not unwrap single-item arrays in --json output (@yetanotheraryan)faf7348#9284 align CycloneDX SBOM component names with SPDX (#9284) (@cyphercodes, @cyphercodes)e20424b#9035 don't install man pages in system locations (@owlstronaut)01d9acd#9269 pkg: output like npm view does, do not force json output (@wraithgar)27567ab#9257 ignore intended error code (@owlstronaut)4ef5b6e#9039 stop resolving node path via whichnode (@owlstronaut)2e9b26e#9247 sync json output of pack and publish (#9247) (@wraithgar)7357d7f#9036 remove npm adduser command (@owlstronaut)
Documentation
c97b39b#9363 add example to optionalDependencies section (#9363) (@verifizieren)6704ab2#9335 npm view with json outputs array docs update (#9335) (@yetanotheraryan)
Dependencies
d151521#9382[email protected]a77416e#9382[email protected]b2717e4#9382[email protected]1c4a796#9382[email protected]e36a4e3#9382[email protected]91bd674#9382[email protected]66c7ff1#9382[email protected]514c71b#9382[email protected]fbe1dd0#9316[email protected]af65766#9316[email protected]37bd0c6#9316[email protected]5af02ec#9270[email protected]799866f#9270[email protected]79d394e#9270[email protected]9669d31#9207@sigstore/[email protected]b09a5ac#9207[email protected]150231d#9207[email protected]413e0a0#9207[email protected]6faa25e#9207[email protected]87bb9d0#9207[email protected]- [
2501dd8](htt...
Contributors
wraithgar, reggi, and 8 other contributors
Assets 2
v11.15.0
11.15.0 (2026-05-20)
Features
0d5d899#9379 npm stage (@reggi, @Copilot)1433740#9376 add permissions support to trust commands (#9376) (@github-actions[bot], @reggi, @Copilot)8df10f5#9339 add allow-git/allow-file/allow-directory/allow-remote configs (@owlstronaut)
Bug Fixes
39b625e#9381 key stage download --json output by package name (#9381) (@reggi, @Copilot)6aa332d#9339 allow min-release-age in npmrc to coexist with --before (@raazkhnl)468550f#9339 refactor #failureNode, adjust tests and safety (@owlstronaut)cabe249#9339 allow-remote=none does not block registry tarballs (@owlstronaut)
Dependencies
8416a60#9383[email protected]5e5a25b#9383[email protected]a6f9ad2#9383[email protected]63f8114#9383[email protected]6918b4c#9383[email protected]bf84079#9383[email protected]bdef82c#9383[email protected]3f38a67#9383[email protected]
Chores
816f3bf#9383 dev dependency updates (@owlstronaut)- workspace:
@npmcli/[email protected] - workspace:
@npmcli/[email protected] - workspace:
[email protected] - workspace:
[email protected] - workspace:
[email protected] - workspace:
[email protected] - workspace:
[email protected]
Contributors
reggi, owlstronaut, and raazkhnl