deps: upgrade npm to 11.18.0#64199
Open
npm-cli-bot wants to merge 1 commit into
Open
Conversation
Collaborator
|
Review requested:
|
nodejs-github-bot
added
needs-ci
lpinca
approved these changes
Jun 29, 2026
gurgunday
approved these changes
Jun 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
11.18.0 (2026-06-29)
Features
3021ad6#9694 arborist: extend replace-registry-host with URL prefix matching (#6110) (#9694) (@github-actions[bot], @u2mejc)abd8c6b#9677 graduate the linked install strategy from experimental to stable (#9677) (@github-actions[bot], @manzoorwanijk)9420673#9662 install-scripts: prune unused allowScripts entries (#9662) (@github-actions[bot], @JamieMagee)fc9d4c7#9635 namespace install-script approval commands under npm install-scripts (#9635) (@manzoorwanijk)073253f#9564 warn when min-release-age blocks an audit fix (#9564) (@github-actions[bot], @JamieMagee)Bug Fixes
598ffdb#9693 sbom: percent-encode vcs_url qualifier in generated purls (#9693) (@github-actions[bot], @ubeddulla)05793d0#9691 output all the required parameters for npm token list (#9691) (@github-actions[bot], @rijildaniel)cd57139#9669 arborist: surface undeclared workspaces under the linked strategy (backport release/v11) (#9669) (@manzoorwanijk)5b6ff9c#9667 reify: report added count for fresh linked installs (#9667) (@github-actions[bot], @manzoorwanijk, @owlstronaut)8f13beb#9664 query: report logical dep location under linked strategy (#9664) (@github-actions[bot], @manzoorwanijk)168ba30#9663 allowScripts: close enforcement gaps (#9652) (backport release/v11) (#9663) (@JamieMagee)ae64f88#9648 exec: resolve workspace-local bin under the linked install strategy (#9648) (@github-actions[bot], @manzoorwanijk)784cbe9#9636 ls: restore 100% coverage on release/v11 after #9633 (#9636) (@manzoorwanijk)70f0ea5#9607 approve-scripts: approve deps with no resolved URL by name (#9607) (@github-actions[bot], @JamieMagee)b2e6338#9602 arborist: don't flag inert optional deps in strict-allow-scripts (#9602) (@github-actions[bot], @JamieMagee)6ad5715#9595 link: scopenpm link --workspaceto the workspace, not the root (#9595) (@github-actions[bot], @manzoorwanijk)Documentation
3658bb5#9690 recommend install-strategy=linked to catch phantom dependencies (#9690) (@github-actions[bot], @manzoorwanijk)Dependencies
54656b6#9696undici@6.27.031c4773#9696brace-expansion@5.0.7e773c77#9696tar@7.5.19f05f6af#9696semver@7.8.5804f9ba#9580npm-profile@12.0.2Chores
f79b37f#9696 dev dependency updates (@owlstronaut)a04cd84#9584 add web-login proxy doneUrl regression for npm-profile fix (#9584) (@github-actions[bot], @manzoorwanijk)@npmcli/arborist@9.9.0@npmcli/config@10.12.0libnpmdiff@8.1.11libnpmexec@10.3.1libnpmfund@7.0.25libnpmpack@9.1.11arborist: 9.9.0
9.9.0 (2026-06-29)
Features
3021ad6#9694 arborist: extend replace-registry-host with URL prefix matching (#6110) (#9694) (@github-actions[bot], @u2mejc)abd8c6b#9677 graduate the linked install strategy from experimental to stable (#9677) (@github-actions[bot], @manzoorwanijk)9420673#9662 install-scripts: prune unused allowScripts entries (#9662) (@github-actions[bot], @JamieMagee)073253f#9564 warn when min-release-age blocks an audit fix (#9564) (@github-actions[bot], @JamieMagee)Bug Fixes
774875b#9686 arborist: keep bin links for allowScripts-denied packages (#9686) (@JamieMagee)719de1e#9673 arborist: apply overrides across a file: link (backport release/v11) (#9673) (@manzoorwanijk)cd57139#9669 arborist: surface undeclared workspaces under the linked strategy (backport release/v11) (#9669) (@manzoorwanijk)ede32d3#9668 arborist: forward transitive overrides through linked store links (#9658) (backport release/v11) (#9668) (@manzoorwanijk)f503b07#9666 correct dev/prod dep flags for workspaces under the linked strategy (#9666) (@github-actions[bot], @manzoorwanijk)f580889#9665 arborist: load transitive optional deps into linked actual tree (#9665) (@github-actions[bot], @manzoorwanijk)8f13beb#9664 query: report logical dep location under linked strategy (#9664) (@github-actions[bot], @manzoorwanijk)168ba30#9663 allowScripts: close enforcement gaps (#9652) (backport release/v11) (#9663) (@JamieMagee)4c9eacb#9649 arborist: clean up stale .store and hoisted dirs on strategy switch (#9649) (@github-actions[bot], @manzoorwanijk)d2c680e#9645 arborist: invalid filterNode crash under the linked strategy (#9645) (@github-actions[bot], @manzoorwanijk)4e40b1c#9644 arborist: repair wrong-but-existing symlink target in linked strategy (#9644) (@github-actions[bot], @manzoorwanijk)9d1774e#9643 arborist: remove stale .bin shims after uninstall under linked (#9643) (@github-actions[bot], @manzoorwanijk)ed37d24#9642 arborist: record the linked .store layout in the hidden lockfile (backport #9630) (#9642) (@manzoorwanijk)e601d4a#9641 arborist: validate peerOptional conflicts in no-save mutations (#9641) (@owlstronaut, @dale-lakes, @dale-lakes)03cee43#9638 arborist: fix audit-report determinism due to dropped via links (#9638) (@github-actions[bot], @arjun-vegeta)a30d855#9633 arborist: don't load store packages' devDependencies as required edges (#9633) (@manzoorwanijk)887ca97#9631 arborist: audit the non-isolated tree under the linked strategy (#9631) (@github-actions[bot], @manzoorwanijk)b2e6338#9602 arborist: don't flag inert optional deps in strict-allow-scripts (#9602) (@github-actions[bot], @JamieMagee)390ebfa#9593 arborist: symlink workspace file: deps on non-workspace local packages (#9593) (@github-actions[bot], @manzoorwanijk)aaeb2f1#9578 arborist: expose store node_modules via NODE_PATH for linked-strategy install scripts (#9578) (@github-actions[bot], @manzoorwanijk)05b6f0f#9577 arborist: allow-remote exemption for proxy/mirror-fronted registry tarballs (#9577) (@github-actions[bot], @manzoorwanijk)config: 10.12.0
10.12.0 (2026-06-29)
Features
3021ad6#9694 arborist: extend replace-registry-host with URL prefix matching (#6110) (#9694) (@github-actions[bot], @u2mejc)abd8c6b#9677 graduate the linked install strategy from experimental to stable (#9677) (@github-actions[bot], @manzoorwanijk)073253f#9564 warn when min-release-age blocks an audit fix (#9564) (@github-actions[bot], @JamieMagee)Bug Fixes
b2e6338#9602 arborist: don't flag inert optional deps in strict-allow-scripts (#9602) (@github-actions[bot], @JamieMagee)Documentation
3658bb5#9690 recommend install-strategy=linked to catch phantom dependencies (#9690) (@github-actions[bot], @manzoorwanijk)libnpmdiff: 8.1.11
Dependencies
@npmcli/arborist@9.9.0libnpmexec: 10.3.1
10.3.1 (2026-06-29)
Bug Fixes
f3f2465#9692 exec: prevent shared binPaths pollution across workspace runs (#9692) (@github-actions[bot], @arjun-vegeta)b2e6338#9602 arborist: don't flag inert optional deps in strict-allow-scripts (#9602) (@github-actions[bot], @JamieMagee)Dependencies
@npmcli/arborist@9.9.0libnpmfund: 7.0.25
Dependencies
@npmcli/arborist@9.9.0libnpmpack: 9.1.11
Dependencies
@npmcli/arborist@9.9.0