v12.0.0-pre.0.0

12.0.0-pre.0.0 (2026-05-20)

⚠️ BREAKING CHANGES

• npm view --json now always returns an array.
• npm sbom --sbom-format=cyclonedx now reports the name field from each package's package.json instead of the on-disk directory name. The name, bom-ref, and purl of the root component and of aliased dependencies may change.
• npm no longer registers man pages with the system when installed globally. man npm-install will no longer work, but npm help install is unaffected.
• The npm pkg output is no longer forced to json. This means you can get single values without having to worry about wrapping of the values. It also outputs non-json content more similarly to npm view.
• npm shrinkwrap is removed, the shrinkwrap config alias is removed, and npm-shrinkwrap.json is no longer loaded or honored at the project root or from inside dependency tarballs. Rename project-root npm-shrinkwrap.json to package-lock.json; use bundleDependencies if you need to ship a locked dependency tree.
• The Twitter and Freenode profile fields have been removed from the npm registry. This means that users will no longer be able to set or view these fields in their npm profiles.
• npm will no longer attempt to resolve the path to node via whichnode. process.execPath is already set by Node to the resolved real path of the node binary, so the lookup was redundant. Scripts that expected npm to override process.execPath with a PATH-resolved (potentially symlinked) node path may be affected.
• the --json output of npm pack and npm publish have changed. They are now always consistent, and in the same format.
• the star, stars and unstar commands have been removed
• The npm adduser command has been removed. Create and manage user accounts on the npm website, and use npm login to authenticate on the command line.

Features

• 254809e #9201 npm stage (#9201) (@reggi, @Copilot)
• cf94dbe #9248 add permissions support to trust commands (#9248) (@reggi, @Copilot)
• e0f12f7 #9348 add allow-git/allow-file/allow-directory/allow-remote configs (@owlstronaut)
• 916cb4b #9287 add allow-directory, allow-file, and allow-remote (#9287) (@wraithgar)
• 2e5dcad #9262 drop npm-shrinkwrap.json support (@owlstronaut)
• 2397196 #9265 Remove Twitter and Freenode profile fields (@owlstronaut)
• 738be10 #9196 remove star commands (#9196) (@wraithgar)
• db7c1f8 #9163 add u as alias for update command (#9163) (@Ausoj)
• 45e44dd #9228 adds a backport script (@owlstronaut)

Bug Fixes

• 2a13550 #9380 key stage download --json output by package name (#9380) (@reggi, @Copilot)
• ca585c8 #9368 allow min-release-age in npmrc to coexist with --before (@raazkhnl)
• f550eb4 #9348 refactor #failureNode, adjust tests and safety (@owlstronaut)
• 1f17566 #9348 allow-remote=none does not block registry tarballs (@owlstronaut)
• 70af7b3 #9327 remove settings (#9327) (@owlstronaut)
• d623988 #9311 sbom: dedupe per-node dependsOn / relationships (#9311) (@mikaelkristiansson)
• d36945d #9160 do not unwrap single-item arrays in --json output (@yetanotheraryan)
• faf7348 #9284 align CycloneDX SBOM component names with SPDX (#9284) (@cyphercodes, @cyphercodes)
• e20424b #9035 don't install man pages in system locations (@owlstronaut)
• 01d9acd #9269 pkg: output like npm view does, do not force json output (@wraithgar)
• 27567ab #9257 ignore intended error code (@owlstronaut)
• 4ef5b6e #9039 stop resolving node path via whichnode (@owlstronaut)
• 2e9b26e #9247 sync json output of pack and publish (#9247) (@wraithgar)
• 7357d7f #9036 remove npm adduser command (@owlstronaut)

Documentation

• c97b39b #9363 add example to optionalDependencies section (#9363) (@verifizieren)
• 6704ab2 #9335 npm view with json outputs array docs update (#9335) (@yetanotheraryan)

Dependencies

• d151521 #9382 socks@2.8.9
• a77416e #9382 lru-cache@11.5.0
• b2717e4 #9382 ip-address@10.2.0
• 1c4a796 #9382 brace-expansion@5.0.6
• e36a4e3 #9382 bin-links@6.0.2
• 91bd674 #9382 tar@7.5.15
• 66c7ff1 #9382 semver@7.8.0
• 514c71b #9382 hosted-git-info@9.0.3
• fbe1dd0 #9316 socks@10.1.1
• af65766 #9316 ip-address@10.1.1
• 37bd0c6 #9316 cidr-regex@5.0.5
• 5af02ec #9270 lru-cache@11.3.5
• 799866f #9270 node-gyp@12.3.0
• 79d394e #9270 is-cidr@6.0.4
• 9669d31 #9207 @sigstore/protobuf-specs@0.5.1
• b09a5ac #9207 tinyglobby@0.2.16
• 150231d #9207 picomatch@4.0.4
• 413e0a0 #9207 lru-cache@11.3.3
• 6faa25e #9207 diff@8.0.4
• 87bb9d0 #9207 minimatch@10.2.5
• [2501dd8](htt...

v11.15.0

11.15.0 (2026-05-20)

Features

• 0d5d899 #9379 npm stage (@reggi, @Copilot)
• 1433740 #9376 add permissions support to trust commands (#9376) (@github-actions[bot], @reggi, @Copilot)
• 8df10f5 #9339 add allow-git/allow-file/allow-directory/allow-remote configs (@owlstronaut)

Bug Fixes

• 39b625e #9381 key stage download --json output by package name (#9381) (@reggi, @Copilot)
• 6aa332d #9339 allow min-release-age in npmrc to coexist with --before (@raazkhnl)
• 468550f #9339 refactor #failureNode, adjust tests and safety (@owlstronaut)
• cabe249 #9339 allow-remote=none does not block registry tarballs (@owlstronaut)

Dependencies

• 8416a60 #9383 socks@2.8.9
• 5e5a25b #9383 lru-cache@11.5.0
• a6f9ad2 #9383 ip-address@10.2.0
• 63f8114 #9383 brace-expansion@5.0.6
• 6918b4c #9383 bin-links@6.0.2
• bf84079 #9383 tar@7.5.15
• bdef82c #9383 semver@7.8.0
• 3f38a67 #9383 hosted-git-info@9.0.3

Chores

• 816f3bf #9383 dev dependency updates (@owlstronaut)
• workspace: @npmcli/arborist@9.6.0
• workspace: @npmcli/config@10.9.1
• workspace: libnpmdiff@8.1.8
• workspace: libnpmexec@10.2.8
• workspace: libnpmfund@7.0.22
• workspace: libnpmpack@9.1.8
• workspace: libnpmpublish@11.2.0

libnpmpublish: v11.2.0

11.2.0 (2026-05-20)

Features

• 0d5d899 #9379 npm stage (@reggi, @Copilot)

Chores

• 40fcab4 #8991 @npmcli/template-oss@4.29.0 (@wraithgar)

libnpmpack: v9.1.8

Dependencies

• workspace: @npmcli/arborist@9.6.0

libnpmfund: v7.0.22

Dependencies

• workspace: @npmcli/arborist@9.6.0

libnpmexec: v10.2.8

Dependencies

• workspace: @npmcli/arborist@9.6.0

libnpmdiff: v8.1.8

Dependencies

• workspace: @npmcli/arborist@9.6.0

config: v10.9.1

10.9.1 (2026-05-20)

Bug Fixes

• 25708d3 #9339 min-release-age=0 doesn't filter, honor cross-source precedence (@owlstronaut)
• 6aa332d #9339 allow min-release-age in npmrc to coexist with --before (@raazkhnl)

arborist: v9.6.0

9.6.0 (2026-05-20)

Features

• 8df10f5 #9339 add allow-git/allow-file/allow-directory/allow-remote configs (@owlstronaut)

Bug Fixes

• d7e195a #9362 arborist: skip lockfile entries for optional deps with incomplete manifests (#9362) (@github-actions[bot], @ecanturk, @owlstronaut)
• 9c78f2a #9361 arborist: only forward Link overrides when a rule names a target dep (@manzoorwanijk)
• 468550f #9339 refactor #failureNode, adjust tests and safety (@owlstronaut)
• cabe249 #9339 allow-remote=none does not block registry tarballs (@owlstronaut)
• 2169018 #9340 arborist: skip extraneous fsChildren in linked-strategy reify (@manzoorwanijk)
• 1d0395e #9338 arborist: prune removed-workspace entries from package-lock.json (@manzoorwanijk)

Chores

• 6a2bdbc #9350 change test wording to not collide with tap (#9350) (@github-actions[bot], @owlstronaut)

libnpmversion: v9.0.0-pre.0.0

9.0.0-pre.0.0 (2026-05-20)

⚠️ BREAKING CHANGES

• npm shrinkwrap is removed, the shrinkwrap config alias is removed, and npm-shrinkwrap.json is no longer loaded or honored at the project root or from inside dependency tarballs. Rename project-root npm-shrinkwrap.json to package-lock.json; use bundleDependencies if you need to ship a locked dependency tree.

Features

• 2e5dcad #9262 drop npm-shrinkwrap.json support (@owlstronaut)

Chores

• 40fcab4 #8991 @npmcli/template-oss@4.29.0 (@wraithgar)