deps: upgrade npm to 11.18.0#64199
Conversation
|
Review requested:
|
|
This will need a rebase to fix the CI failures. |
Is it too late to get the rebase done and landed before the Node.js 26.5.0 release? |
|
The last lone maintainer of npm CLI is no longer at GitHub, and I don’t see anyone else being assigned yet. So, this may take longer to get rebased. |
b420b5e to
56b15b4
Compare
I've restarted the CI for this PR, but am making no promises about getting this into the 26.5.0 release. My intention for 26.5.0 was to start release builds tonight before I go to sleep so I can do the release tomorrow during my working hours (the worst case build time (which I don't know if we'll hit) is ~7 hours). We're past my work hours today so if I did try to get the npm release into 26.5.0 I'd have to give up a chunk of my evening to:
The good news for Node.js 26 is that we do current releases fairly often, so it should not be too long before the next release. |
Oh, that’s great. Thank you for the info. Looking forward to collaborating more on npm. |

11.18.0 (2026-06-29)
Features
3021ad6#9694 arborist: extend replace-registry-host with URL prefix matching (#6110) (#9694) (@github-actions[bot], @u2mejc)abd8c6b#9677 graduate the linked install strategy from experimental to stable (#9677) (@github-actions[bot], @manzoorwanijk)9420673#9662 install-scripts: prune unused allowScripts entries (#9662) (@github-actions[bot], @JamieMagee)fc9d4c7#9635 namespace install-script approval commands under npm install-scripts (#9635) (@manzoorwanijk)073253f#9564 warn when min-release-age blocks an audit fix (#9564) (@github-actions[bot], @JamieMagee)Bug Fixes
598ffdb#9693 sbom: percent-encode vcs_url qualifier in generated purls (#9693) (@github-actions[bot], @ubeddulla)05793d0#9691 output all the required parameters for npm token list (#9691) (@github-actions[bot], @rijildaniel)cd57139#9669 arborist: surface undeclared workspaces under the linked strategy (backport release/v11) (#9669) (@manzoorwanijk)5b6ff9c#9667 reify: report added count for fresh linked installs (#9667) (@github-actions[bot], @manzoorwanijk, @owlstronaut)8f13beb#9664 query: report logical dep location under linked strategy (#9664) (@github-actions[bot], @manzoorwanijk)168ba30#9663 allowScripts: close enforcement gaps (#9652) (backport release/v11) (#9663) (@JamieMagee)ae64f88#9648 exec: resolve workspace-local bin under the linked install strategy (#9648) (@github-actions[bot], @manzoorwanijk)784cbe9#9636 ls: restore 100% coverage on release/v11 after #9633 (#9636) (@manzoorwanijk)70f0ea5#9607 approve-scripts: approve deps with no resolved URL by name (#9607) (@github-actions[bot], @JamieMagee)b2e6338#9602 arborist: don't flag inert optional deps in strict-allow-scripts (#9602) (@github-actions[bot], @JamieMagee)6ad5715#9595 link: scopenpm link --workspaceto the workspace, not the root (#9595) (@github-actions[bot], @manzoorwanijk)Documentation
3658bb5#9690 recommend install-strategy=linked to catch phantom dependencies (#9690) (@github-actions[bot], @manzoorwanijk)Dependencies
54656b6#9696undici@6.27.031c4773#9696brace-expansion@5.0.7e773c77#9696tar@7.5.19f05f6af#9696semver@7.8.5804f9ba#9580npm-profile@12.0.2Chores
f79b37f#9696 dev dependency updates (@owlstronaut)a04cd84#9584 add web-login proxy doneUrl regression for npm-profile fix (#9584) (@github-actions[bot], @manzoorwanijk)@npmcli/arborist@9.9.0@npmcli/config@10.12.0libnpmdiff@8.1.11libnpmexec@10.3.1libnpmfund@7.0.25libnpmpack@9.1.11arborist: 9.9.0
9.9.0 (2026-06-29)
Features
3021ad6#9694 arborist: extend replace-registry-host with URL prefix matching (#6110) (#9694) (@github-actions[bot], @u2mejc)abd8c6b#9677 graduate the linked install strategy from experimental to stable (#9677) (@github-actions[bot], @manzoorwanijk)9420673#9662 install-scripts: prune unused allowScripts entries (#9662) (@github-actions[bot], @JamieMagee)073253f#9564 warn when min-release-age blocks an audit fix (#9564) (@github-actions[bot], @JamieMagee)Bug Fixes
774875b#9686 arborist: keep bin links for allowScripts-denied packages (#9686) (@JamieMagee)719de1e#9673 arborist: apply overrides across a file: link (backport release/v11) (#9673) (@manzoorwanijk)cd57139#9669 arborist: surface undeclared workspaces under the linked strategy (backport release/v11) (#9669) (@manzoorwanijk)ede32d3#9668 arborist: forward transitive overrides through linked store links (#9658) (backport release/v11) (#9668) (@manzoorwanijk)f503b07#9666 correct dev/prod dep flags for workspaces under the linked strategy (#9666) (@github-actions[bot], @manzoorwanijk)f580889#9665 arborist: load transitive optional deps into linked actual tree (#9665) (@github-actions[bot], @manzoorwanijk)8f13beb#9664 query: report logical dep location under linked strategy (#9664) (@github-actions[bot], @manzoorwanijk)168ba30#9663 allowScripts: close enforcement gaps (#9652) (backport release/v11) (#9663) (@JamieMagee)4c9eacb#9649 arborist: clean up stale .store and hoisted dirs on strategy switch (#9649) (@github-actions[bot], @manzoorwanijk)d2c680e#9645 arborist: invalid filterNode crash under the linked strategy (#9645) (@github-actions[bot], @manzoorwanijk)4e40b1c#9644 arborist: repair wrong-but-existing symlink target in linked strategy (#9644) (@github-actions[bot], @manzoorwanijk)9d1774e#9643 arborist: remove stale .bin shims after uninstall under linked (#9643) (@github-actions[bot], @manzoorwanijk)ed37d24#9642 arborist: record the linked .store layout in the hidden lockfile (backport #9630) (#9642) (@manzoorwanijk)e601d4a#9641 arborist: validate peerOptional conflicts in no-save mutations (#9641) (@owlstronaut, @dale-lakes, @dale-lakes)03cee43#9638 arborist: fix audit-report determinism due to dropped via links (#9638) (@github-actions[bot], @arjun-vegeta)a30d855#9633 arborist: don't load store packages' devDependencies as required edges (#9633) (@manzoorwanijk)887ca97#9631 arborist: audit the non-isolated tree under the linked strategy (#9631) (@github-actions[bot], @manzoorwanijk)b2e6338#9602 arborist: don't flag inert optional deps in strict-allow-scripts (#9602) (@github-actions[bot], @JamieMagee)390ebfa#9593 arborist: symlink workspace file: deps on non-workspace local packages (#9593) (@github-actions[bot], @manzoorwanijk)aaeb2f1#9578 arborist: expose store node_modules via NODE_PATH for linked-strategy install scripts (#9578) (@github-actions[bot], @manzoorwanijk)05b6f0f#9577 arborist: allow-remote exemption for proxy/mirror-fronted registry tarballs (#9577) (@github-actions[bot], @manzoorwanijk)config: 10.12.0
10.12.0 (2026-06-29)
Features
3021ad6#9694 arborist: extend replace-registry-host with URL prefix matching (#6110) (#9694) (@github-actions[bot], @u2mejc)abd8c6b#9677 graduate the linked install strategy from experimental to stable (#9677) (@github-actions[bot], @manzoorwanijk)073253f#9564 warn when min-release-age blocks an audit fix (#9564) (@github-actions[bot], @JamieMagee)Bug Fixes
b2e6338#9602 arborist: don't flag inert optional deps in strict-allow-scripts (#9602) (@github-actions[bot], @JamieMagee)Documentation
3658bb5#9690 recommend install-strategy=linked to catch phantom dependencies (#9690) (@github-actions[bot], @manzoorwanijk)libnpmdiff: 8.1.11
Dependencies
@npmcli/arborist@9.9.0libnpmexec: 10.3.1
10.3.1 (2026-06-29)
Bug Fixes
f3f2465#9692 exec: prevent shared binPaths pollution across workspace runs (#9692) (@github-actions[bot], @arjun-vegeta)b2e6338#9602 arborist: don't flag inert optional deps in strict-allow-scripts (#9602) (@github-actions[bot], @JamieMagee)Dependencies
@npmcli/arborist@9.9.0libnpmfund: 7.0.25
Dependencies
@npmcli/arborist@9.9.0libnpmpack: 9.1.11
Dependencies
@npmcli/arborist@9.9.0