12.0.0-pre.1 (2026-06-19)

⚠️ BREAKING CHANGES

• Preserve https protocol when working with git (#8703)
• The default license for npm init has been changed from "ISC" to an empty string. If not set, the license field will be omitted from new packages.
• npm now supports node ^22.22.2 || ^24.15.0 || >=26.0.0
• allow-git and allow-remote now default to "none"; set them to "all" (or "root") to install git or user-supplied tarball-URL dependencies.
• root `preinstall` now runs before dependencies are installed.
• unknown configs in .npmrc, unknown CLI flags, abbreviated flags, and single-hyphen multi-char shorthands now throw instead of warning.

Features

• ce7681f #9496 packageExtensions for root-owned dependency manifest repairs (#9496) (@manzoorwanijk)
• 1db885c #9439 native dependency patching (npm patch add/commit/update/ls/rm) (#9439) (@manzoorwanijk)
• fc80bb3 #9234 remove default license for npm init (@owlstronaut)
• be8053c #9544 warn when min-release-age blocks an audit fix (#9544) (@JamieMagee)
• 18eb967 #9559 bump to new node engine range (@owlstronaut)
• c3e1a71 #9532 add min-release-age-exclude config (@JamieMagee, @caseyjhol)
• 5cd5150 #9424 default-deny install scripts (allowScripts opt-in) [v12] (@JamieMagee)
• 64e3f79 #9480 allowScripts tooling and inBundle hardening (#9480) (@JamieMagee)
• caa3295 #9466 default allow-git and allow-remote to none (@owlstronaut)
• f2e4a28 #9351 add a global npmignore file (#9351) (@ljharb)
• c9be2d1 #9153 publish --access=private alias for restricted (#9153) (@reggi, @Copilot)
• 7068d42 #9360 Phase 1 of allowScripts opt-in install-script policy (#9360) (@JamieMagee)
• 979518d #9276 error on unknown configs, flags, and abbreviations (#9276) (@owlstronaut)

Bug Fixes

• e96a7de #8703 Preserve https protocol when working with git (#8703) (@oldium)
• a847d28 #9575 patch: warn when patch update --to targets an uninstalled version (#9575) (@manzoorwanijk)
• 62b0694 #9576 patch: explain out-of-sync lockfile after --ignore-patch-failures (#9576) (@manzoorwanijk)
• 5ddf6cc #9567 patch: keep the update marker on a no-op commit so a retry finalizes (#9567) (@manzoorwanijk)
• fc3ef5a #9559 adapt to @npmcli/run-script@11 breaking changes (@owlstronaut)
• abf78b3 #9540 match dotted and versioned args in approve-scripts/deny-scripts (@owlstronaut)
• f6270d1 #9531 emit valid JSON from approve-scripts/deny-scripts --json (@owlstronaut)
• 0e55f97 #9492 pass script-shell to publish lifecycle hooks (@Zelys-DFKH)
• 2cbb13b #9490 recognize allowScripts for local link targets (#9490) (@cyphercodes, @cyphercodes)
• bf623e0 #9473 validate registry path for allow-remote tarballs (@Abhinav-143x)
• 6be874b #9479 list pending scripts in approve-scripts when ignore-scripts is set (#9479) (@JamieMagee)
• 6603b2c #9469 suggest --allow-scripts for global installs in unreviewed-scripts warnings (#9469) (@JamieMagee)
• fe820b6 #9442 invalid issue template YAML indentation (#9442) (@fallintoplace)
• fe41ae7 #9404 show full parent command path in subcommand usage errors (#9404) (@shaanmajid)
• 75bf7de #9456 respect allowScripts policy in prune, dedupe, uninstall, audit fix, and link (@JamieMagee)
• 6efac6e #9453 config: clarify --all help so it's accurate for approve-scripts and deny-scripts (@JamieMagee)
• b97edc0 #9430 audit: don't apply min-release-age before filter when verifying installed signatures (@JamieMagee)
• 080e3b2 #9425 block forbidden keys in Queryable setter to prevent prototype pollution (@12122J, @claude)
• c5292fa #9422 use prerelease strategy without a bug (@owlstronaut)
• 33aebaa #9410 fix typo of fullMetadata (@owlstronaut)
• 2a03860 #9267 run root preinstall before reify (@owlstronaut)
• c0fc549 #9372 config: pause progress spinner during interactive editor spawn (#9372) (@Zelys-DFKH, @claude)

Documentation

• 357e8cd #9520 approve-scripts only throws EGLOBAL when run with -g (@JamieMagee)
• bcf01c6 #9505 clarify package.json override value specs (#9505) (@ded-furby)
• 455aa4a #9401 use the latest version for global update and outdated's wanted (#9401) (@liangmiQwQ)
• aac80dc #9470 update minimum npm required for npm trust (@meeech)
• d124c08 #9385 Document npm_old_version and npm_new_version environment variables (#9385) (@36degrees)

Dependencies

• 9cbba72 #9579 npm-profile@13.0.1
• d4e0a70 #9559 @tufjs/repo-mock@5.0.0
• 3ef66bb #9559 bundle arborist runtime deps for bootstrap
• 5dce6fb #9559 npm-packlist@11.2.0
• ad05528 #9559 @npmcli/git@8.0.0
• [cc45055](https://gi...

9.0.0-pre.1 (2026-06-19)

⚠️ BREAKING CHANGES

• npm now supports node ^22.22.2 || ^24.15.0 || >=26.0.0

Features

• 18eb967 #9559 bump to new node engine range (@owlstronaut)

Bug Fixes

• c5292fa #9422 use prerelease strategy without a bug (@owlstronaut)

Documentation

• d124c08 #9385 Document npm_old_version and npm_new_version environment variables (#9385) (@36degrees)

Dependencies

• 3dc18e5 #9559 @npmcli/git@8.0.0
• 21df0ab #9559 proc-log@7.0.0
• 30e89d9 #9559 json-parse-even-better-errors@6.0.0
• 9d13ebf #9559 @npmcli/run-script@11.0.0

Chores

• 0323f2d #9559 template-oss-apply (@owlstronaut)
• ee3d87f #9559 @npmcli/template-oss@5.1.1 (@owlstronaut)
• d25a179 #9559 template-oss-apply (@owlstronaut)

9.0.0-pre.0 (2026-06-19)

⚠️ BREAKING CHANGES

• npm now supports node ^22.22.2 || ^24.15.0 || >=26.0.0

Features

• 18eb967 #9559 bump to new node engine range (@owlstronaut)

Dependencies

• 1f9c567 #9559 npm-registry-fetch@20.0.1

Chores

• 1453954 #9559 nock@14.0.0 (@owlstronaut)
• 0323f2d #9559 template-oss-apply (@owlstronaut)
• ee3d87f #9559 @npmcli/template-oss@5.1.1 (@owlstronaut)
• d25a179 #9559 template-oss-apply (@owlstronaut)
• 40fcab4 #8991 @npmcli/template-oss@4.29.0 (@wraithgar)
• 5e0909b #8620 fix spelling in workspaces (#8620) (@jsoref)

10.0.0-pre.0 (2026-06-19)

⚠️ BREAKING CHANGES

• npm now supports node ^22.22.2 || ^24.15.0 || >=26.0.0

Features

• 18eb967 #9559 bump to new node engine range (@owlstronaut)

Dependencies

• 1f9c567 #9559 npm-registry-fetch@20.0.1

Chores

• 1453954 #9559 nock@14.0.0 (@owlstronaut)
• 0323f2d #9559 template-oss-apply (@owlstronaut)
• ee3d87f #9559 @npmcli/template-oss@5.1.1 (@owlstronaut)
• d25a179 #9559 template-oss-apply (@owlstronaut)
• 40fcab4 #8991 @npmcli/template-oss@4.29.0 (@wraithgar)
• 5e0909b #8620 fix spelling in workspaces (#8620) (@jsoref)

12.0.0-pre.0 (2026-06-19)

⚠️ BREAKING CHANGES

• npm now supports node ^22.22.2 || ^24.15.0 || >=26.0.0
• opts.access now defaults to null instead of 'public'. With null, libnpmpublish no longer sets an explicit access level in the publish payload, so new scoped packages are created as restricted (registry default) and republishes preserve the existing access level. Callers that want to force public access must now pass access: 'public' explicitly.

Features

• ce7681f #9496 packageExtensions for root-owned dependency manifest repairs (#9496) (@manzoorwanijk)
• 1db885c #9439 native dependency patching (npm patch add/commit/update/ls/rm) (#9439) (@manzoorwanijk)
• 18eb967 #9559 bump to new node engine range (@owlstronaut)

Bug Fixes

• 79b0c84 #9419 default opts.access to null to preserve registry behavior (@owlstronaut)
• c5292fa #9422 use prerelease strategy without a bug (@owlstronaut)

Dependencies

• 428afa6 #9559 sigstore@5.0.0
• 1502286 #9559 ssri@14.0.0
• 21df0ab #9559 proc-log@7.0.0
• 1f9c567 #9559 npm-registry-fetch@20.0.1
• d80859a #9559 npm-package-arg@14.0.0
• 0be6ae2 #9559 @npmcli/package-json@8.0.0

Chores

• 1453954 #9559 nock@14.0.0 (@owlstronaut)
• 0323f2d #9559 template-oss-apply (@owlstronaut)
• ee3d87f #9559 @npmcli/template-oss@5.1.1 (@owlstronaut)
• d25a179 #9559 template-oss-apply (@owlstronaut)

10.0.0-pre.1 (2026-06-19)

⚠️ BREAKING CHANGES

• npm now supports node ^22.22.2 || ^24.15.0 || >=26.0.0
• allow-git and allow-remote now default to "none"; set them to "all" (or "root") to install git or user-supplied tarball-URL dependencies.

Features

• 18eb967 #9559 bump to new node engine range (@owlstronaut)
• caa3295 #9466 default allow-git and allow-remote to none (@owlstronaut)

Bug Fixes

• 76f8059 #9446 flatten path separators in pack output filename (#9446) (@rootvector2)
• c5292fa #9422 use prerelease strategy without a bug (@owlstronaut)

Dependencies

• a44c1cf #9559 pacote@22.0.0
• d80859a #9559 npm-package-arg@14.0.0
• 9d13ebf #9559 @npmcli/run-script@11.0.0

Chores

• 1453954 #9559 nock@14.0.0 (@owlstronaut)
• 0323f2d #9559 template-oss-apply (@owlstronaut)
• ee3d87f #9559 @npmcli/template-oss@5.1.1 (@owlstronaut)
• d25a179 #9559 template-oss-apply (@owlstronaut)
• workspace: @npmcli/arborist@10.0.0-pre.1

9.0.0-pre.0 (2026-06-19)

⚠️ BREAKING CHANGES

• npm now supports node ^22.22.2 || ^24.15.0 || >=26.0.0

Features

• 18eb967 #9559 bump to new node engine range (@owlstronaut)

Dependencies

• 1f9c567 #9559 npm-registry-fetch@20.0.1

Chores

• 1453954 #9559 nock@14.0.0 (@owlstronaut)
• 0323f2d #9559 template-oss-apply (@owlstronaut)
• ee3d87f #9559 @npmcli/template-oss@5.1.1 (@owlstronaut)
• d25a179 #9559 template-oss-apply (@owlstronaut)
• 40fcab4 #8991 @npmcli/template-oss@4.29.0 (@wraithgar)
• 5e0909b #8620 fix spelling in workspaces (#8620) (@jsoref)

8.0.0-pre.0 (2026-06-19)

⚠️ BREAKING CHANGES

• npm now supports node ^22.22.2 || ^24.15.0 || >=26.0.0

Features

• 18eb967 #9559 bump to new node engine range (@owlstronaut)

Bug Fixes

• c5292fa #9422 use prerelease strategy without a bug (@owlstronaut)

Chores

• 0323f2d #9559 template-oss-apply (@owlstronaut)
• ee3d87f #9559 @npmcli/template-oss@5.1.1 (@owlstronaut)
• d25a179 #9559 template-oss-apply (@owlstronaut)

Dependencies

• workspace: @npmcli/arborist@10.0.0-pre.1

11.0.0-pre.0 (2026-06-19)

⚠️ BREAKING CHANGES

• npm now supports node ^22.22.2 || ^24.15.0 || >=26.0.0

Features

• 18eb967 #9559 bump to new node engine range (@owlstronaut)
• 64e3f79 #9480 allowScripts tooling and inBundle hardening (#9480) (@JamieMagee)

Bug Fixes

• 6901bb1 #9436 escape executable name in libnpmexec run-script (#9436) (@rootvector2)
• c5292fa #9422 use prerelease strategy without a bug (@owlstronaut)
• 6237783 #9408 exempt local project introspection from allow-directory (@owlstronaut)

Dependencies

• b62db95 #9559 bin-links@7.0.0
• 3484d7f #9559 read@6.0.0
• 21df0ab #9559 proc-log@7.0.0
• a44c1cf #9559 pacote@22.0.0
• d80859a #9559 npm-package-arg@14.0.0
• 9d13ebf #9559 @npmcli/run-script@11.0.0
• 0be6ae2 #9559 @npmcli/package-json@8.0.0

Chores

• 1453954 #9559 nock@14.0.0 (@owlstronaut)
• 0323f2d #9559 template-oss-apply (@owlstronaut)
• ee3d87f #9559 @npmcli/template-oss@5.1.1 (@owlstronaut)
• d25a179 #9559 template-oss-apply (@owlstronaut)
• workspace: @npmcli/arborist@10.0.0-pre.1

9.0.0-pre.0 (2026-06-19)

⚠️ BREAKING CHANGES

• npm now supports node ^22.22.2 || ^24.15.0 || >=26.0.0
• allow-git and allow-remote now default to "none"; set them to "all" (or "root") to install git or user-supplied tarball-URL dependencies.

Features

• 18eb967 #9559 bump to new node engine range (@owlstronaut)
• caa3295 #9466 default allow-git and allow-remote to none (@owlstronaut)

Bug Fixes

• c5292fa #9422 use prerelease strategy without a bug (@owlstronaut)

Dependencies

• cc96d57 #9559 @npmcli/installed-package-contents@5.0.0
• a44c1cf #9559 pacote@22.0.0
• d80859a #9559 npm-package-arg@14.0.0

Chores

• 0323f2d #9559 template-oss-apply (@owlstronaut)
• ee3d87f #9559 @npmcli/template-oss@5.1.1 (@owlstronaut)
• d25a179 #9559 template-oss-apply (@owlstronaut)
• workspace: @npmcli/arborist@10.0.0-pre.1