Skip to searchSkip to content

Changelog

Select CLI Version:

Table of contents

12.0.0-pre.0.0 (2026-05-20)

⚠️ BREAKING CHANGES

  • npm view --json now always returns an array.
  • npm sbom --sbom-format=cyclonedx now reports the name field from each package's package.json instead of the on-disk directory name. The name, bom-ref, and purl of the root component and of aliased dependencies may change.
  • npm no longer registers man pages with the system when installed globally. man npm-install will no longer work, but npm help install is unaffected.
  • The npm pkg output is no longer forced to json. This means you can get single values without having to worry about wrapping of the values. It also outputs non-json content more similarly to npm view.
  • npm shrinkwrap is removed, the shrinkwrap config alias is removed, and npm-shrinkwrap.json is no longer loaded or honored at the project root or from inside dependency tarballs. Rename project-root npm-shrinkwrap.json to package-lock.json; use bundleDependencies if you need to ship a locked dependency tree.
  • The Twitter and Freenode profile fields have been removed from the npm registry. This means that users will no longer be able to set or view these fields in their npm profiles.
  • npm will no longer attempt to resolve the path to node via whichnode. process.execPath is already set by Node to the resolved real path of the node binary, so the lookup was redundant. Scripts that expected npm to override process.execPath with a PATH-resolved (potentially symlinked) node path may be affected.
  • the --json output of npm pack and npm publish have changed. They are now always consistent, and in the same format.
  • the star, stars and unstar commands have been removed
  • The npm adduser command has been removed. Create and manage user accounts on the npm website, and use npm login to authenticate on the command line.

Features

  • 254809e #9201 npm stage (#9201) (@reggi, @Copilot)
  • cf94dbe #9248 add permissions support to trust commands (#9248) (@reggi, @Copilot)
  • e0f12f7 #9348 add allow-git/allow-file/allow-directory/allow-remote configs (@owlstronaut)
  • 916cb4b #9287 add allow-directory, allow-file, and allow-remote (#9287) (@wraithgar)
  • 2e5dcad #9262 drop npm-shrinkwrap.json support (@owlstronaut)
  • 2397196 #9265 Remove Twitter and Freenode profile fields (@owlstronaut)
  • 738be10 #9196 remove star commands (#9196) (@wraithgar)
  • db7c1f8 #9163 add u as alias for update command (#9163) (@Ausoj)
  • 45e44dd #9228 adds a backport script (@owlstronaut)

Bug Fixes

  • 2a13550 #9380 key stage download --json output by package name (#9380) (@reggi, @Copilot)
  • ca585c8 #9368 allow min-release-age in npmrc to coexist with --before (@raazkhnl)
  • f550eb4 #9348 refactor #failureNode, adjust tests and safety (@owlstronaut)
  • 1f17566 #9348 allow-remote=none does not block registry tarballs (@owlstronaut)
  • 70af7b3 #9327 remove settings (#9327) (@owlstronaut)
  • d623988 #9311 sbom: dedupe per-node dependsOn / relationships (#9311) (@mikaelkristiansson)
  • d36945d #9160 do not unwrap single-item arrays in --json output (@yetanotheraryan)
  • faf7348 #9284 align CycloneDX SBOM component names with SPDX (#9284) (@cyphercodes, @cyphercodes)
  • e20424b #9035 don't install man pages in system locations (@owlstronaut)
  • 01d9acd #9269 pkg: output like npm view does, do not force json output (@wraithgar)
  • 27567ab #9257 ignore intended error code (@owlstronaut)
  • 4ef5b6e #9039 stop resolving node path via whichnode (@owlstronaut)
  • 2e9b26e #9247 sync json output of pack and publish (#9247) (@wraithgar)
  • 7357d7f #9036 remove npm adduser command (@owlstronaut)

Documentation

  • c97b39b #9363 add example to optionalDependencies section (#9363) (@verifizieren)
  • 6704ab2 #9335 npm view with json outputs array docs update (#9335) (@yetanotheraryan)

Dependencies

Chores

11.12.1 (2026-03-24)

Bug Fixes

  • 596706a #9148 revert prefer-offline/prefer-online exclusivity (#9129) (@owlstronaut)

Documentation

  • d1ee8a5 #9140 Add note on relative path prefix for npm publish (#9140) (@pydsigner)

Dependencies

11.12.0 (2026-03-18)

Features

  • 8eff5fb #9049 audit: add --include-attestations flag to output sigstore bundles (#9049) (@mitchdenny)

Bug Fixes

  • 03af94d #9123 skip synopsis code block when command has no usage (@owlstronaut)
  • 21ea382 #9110 arborist: resolve sibling override sets via common ancestor (#9110) (@manzoorwanijk)

Dependencies

Chores

11.11.1 (2026-03-10)

Bug Fixes

  • a9d242b #9099 include all subcommands on main command help (#9099) (@wraithgar)
  • 29b8407 #9087 unwrap comments and lines meant for output (#9087) (@wraithgar)
  • b56986a #9095 ls: suppress false UNMET DEPENDENCYs in linked strategy (#9095) (@manzoorwanijk)
  • 76c76e5 #9083 ci: don't error on optional deps in the lockfile (#9083) (@wraithgar)
  • a29aeee #9028 arborist: retry bin-links on Windows EPERM (#9028) (@manzoorwanijk)
  • 6565eeb #9045 bypass packument cache to prevent ETARGET errors after publish (#9045) (@Jadu07)

Documentation

  • 3b96929 #9074 scripts: remove mention of obsolete root user behavior (#9074) (@mohd-akram)
  • 16ac4e0 #9054 fix workspace cross-dependency documentation (@owlstronaut)

Dependencies

Chores

11.11.0 (2026-02-25)

Features

  • 4fcd352 #9017 add :type(registry) to query selector syntax (#9017) (@wraithgar)
  • e1b21f0 #8909 adds circleci to trust command (#8909) (@owlstronaut)
  • 9a33ad0 #8925 adds circleci to oidc (#8925) (@owlstronaut)

Bug Fixes

  • 4426411 #9026 npm audit signatures for keyless attestation registries (#9026) (@ajayk)
  • 658b323 #9010 handle legacy licenses array in sbom output (#9010) (@JNC4)

Documentation

  • 143f8cd #9007 docs shouldn't wrap yaml description (#9007) (@owlstronaut)

Dependencies

11.10.1 (2026-02-19)

Bug Fixes

  • 9fac412 #8995 improve unknown config warning with .npmrc section hint (#8995) (@umeshmore45)
  • bb135cc #8981 arborist: fix peerOptional dependency resolution in buildIdealTree (#8981) (@Saibamen, @cursoragent)
  • 5c03826 #8993 remove tabular output from "npm view" (@wraithgar)
  • 4648f26 #8993 remove tabular output from "npm team" (@wraithgar)

Documentation

  • 0a5756d #8998 clarify unsupported custom .npmrc keys and recommend alternatives (#8998) (@maitrawebtech)
  • 22c9153 #8985 fix typo and grammar in README (#8985) (@csmit195, Chris)

Dependencies

Chores

11.10.0 (2026-02-11)

Features

Dependencies

Chores

11.9.0 (2026-02-04)

Features

Bug Fixes

  • 2242f25 #8952 webauth: improve error messages around webauth in non-TTY (#8952) (@Andarist)

Dependencies

Chores

11.8.0 (2026-01-21)

Features

  • 545e861 #8828 show proxy environment variables in npm config list (Max Black)

Bug Fixes

  • c2f784d #8859 preserve serialNumber UUID in CycloneDX SBOM output #8837 (#8859) (@saksham-malhotra-27)
  • f2c3af7 #8840 more intuitive byte formatting boundaries for rounding (#8840) (@watilde)

Documentation

  • 3474ec3 #8866 fix typo/logic error in npm-dedupe docs (#8866) (@Schweinepriester)
  • 5552e46 #8797 npm-install: explain package-lock.json behavior (#8797) (@MaxBlack-dev, Max Black)

Dependencies

Chores

11.7.0 (2025-12-09)

Features

  • b380d15 #8697 add deduping to notices unless in verbose+ mode (@owlstronaut)

Bug Fixes

  • 4ebb831 #8839 updates hints to use cli paradigm (@owlstronaut)
  • 7896e51 #8838 update the token list text (@owlstronaut)
  • 8ab8668 #8836 query: support package-lock-only in workspaces (@watilde)
  • 35e8d38 #8322 properly handle newlines with input when using the spinner (#8322) (@mbtools)
  • 0c0faae #8780 adduser: improve email prompt (#8780) (@mbtools)

Documentation

  • 7f2ab9d #8810 scripts: replace deprecated prepublish and install examples with prepare (Max Black)
  • 91ebab7 #8847 remove note about token create being disabled (@owlstronaut)
  • 2030250 #8822 scripts: clarify prepare script runs with --production (Max Black)
  • 33a50d7 #8821 scripts: update npmpackage* environment variables documentation (Max Black)
  • 50508f9 #8793 package-json: add documentation for type field (#8793) (@MaxBlack-dev, Max Black)
  • aa1dd7e #8823 scripts: document that prepare scripts run concurrently in workspaces (Max Black)
  • 3f48487 #8820 package-spec: fix alias syntax in examples (Max Black)
  • dd104da #8812 version: add note about git version requirements (Max Black)
  • 58afdcc #8792 install: clarify prerelease version range behavior (Max Black)
  • 9f818e8 #8795 npm-view: clarify object property access syntax and provide examples (Max Black)
  • 39c2f2e #8791 add examples for command line flags including --prefix (Max Black)
  • 1298530 #8790 clarify version field can be omitted in package-lock (Max Black)
  • 090b6ca #8794 npx: clarify that arguments are passed to executed command (Max Black)
  • a864f80 #8787 document gypfile field in package.json (Max Black)
  • 2fc689d #8788 add field access patterns to npm view (Max Black)
  • 4850639 #8796 package-json: add examples for replacing dependencies with forks in overrides (Max Black)
  • 4864dd4 #8798 npm-install: document engines field priority when installing packages (Max Black)
  • 95d25cd #8799 package-json: clarify repository field normalization during publish (Max Black)
  • a367f9b #8800 package-lock-json: clarify that version field may be omitted for certain dependencies (Max Black)
  • ffc9b71 #8801 npm-install: clarify --tag does not override package.json (#8801) (@MaxBlack-dev, Max Black)
  • 73688ca #8735 clarify npm version behavior with prerelease versions (#8735) (@yashwantbezawada)
  • 4a32606 #8785 updates the token create documentation (#8785) (@owlstronaut, @wraithgar)

Chores

Dependencies

11.6.4 (2025-11-25)

Documentation

  • dfb83c7 #8749 add example for keywords field (#8749) (@MaxBlack-dev, Max Black)
  • 1b1e227 #8750 remove outdated roadmap link (#8750) (@MaxBlack-dev, Max Black)
  • 1333d57 #8752 clarify .npmrc naming convention for environment variable overrides (#8752) (@MaxBlack-dev)
  • 22cddb8 #8755 add workspace dependencies example to workspaces (Max Black)
  • 17e154c #8756 standardize env vars to uppercase convention (Max Black)
  • 1e51a25 #8754 fix lifecycle event order for prepare script (Max Black)
  • 8d72bc9 #8753 add os, cpu, and funding fields to package-lock.json (Max Black)

Dependencies

11.6.3 (2025-11-19)

Bug Fixes

  • c6242d9 #8706 change npm profile to create tokens with GAT support (#8706) (@owlstronaut, @wraithgar)
  • cbc6fa9 #8731 order of version information in error message (#8731) (@piotrd, @pd-be)
  • 11dbd7e #8709 display full token when creating authentication tokens (#8709) (@MaxBlack-dev, Max Black)
  • 49a4eef #8676 use look behind regex for trailing slash stripping (#8676) (@wraithgar)
  • b1aee62 #8645 dep flag calculation (#8645) (@liamcmitchell)

Documentation

  • ca53c21 #8745 add workspace usage examples (#8745) (@MaxBlack-dev, Max Black)
  • e71ca0e #8746 add --save flag to documentation (#8746) (@MaxBlack-dev, Max Black)
  • 06510a8 #8683 add ignore-scripts option to npm version help and docs (#8683) (@Tejas242)

Dependencies

Chores

11.6.2 (2025-10-08)

Bug Fixes

  • c54d1e9 #8633 progress bar code cleanup (#8633) (@wraithgar)
  • d352e27 #8629 do not redact notice logs going to stdout (#8629) (@wraithgar)
  • 5ac3678 #8617 spelling in ./lib and ./test/lib (#8617) (@jsoref)
  • 9197995 #8619 spelling (#8619) (@jsoref)
  • dd884e3 #8618 spelling (#8618) (@jsoref)
  • f6028e6 #8614 skip redacting urls meant for opening by the user (#8614) (@wraithgar, @jolyndenning)
  • 54fd27f #8602 refactor node.ideallyInert to node.inert (#8602) (@liamcmitchell)
  • 79e3c1e #8593 use @npmcli/package-json to normalize package data (@wraithgar)

Documentation

Dependencies

Chores

11.6.1 (2025-09-23)

Bug Fixes

  • d389614 #8579 corrects peer dependency flag propagation (@owlstronaut)
  • 5db81c3 #8512 allow concurrent non-local npx calls (#8512) (@jenseng, @wraithgar)

Documentation

Dependencies

Chores

11.6.0 (2025-09-03)

Features

  • bdcc10d #8359 add support for optional env var replacements in .npmrc (#8359) (@aczekajski, @owlstronaut)

Bug Fixes

  • dd4cee9 #8539 powershell: improve argument parsing (#8539) (@alexsch01)
  • 5f18557 #8532 powershell: fix issue with modified InvocationName (#8532) (@alexsch01)
  • 9e5abf1 #8529 add redaction to log format egress (#8529) (@wraithgar)
  • 75ce64a #8524 revert handle signal exits gracefully (#8524) (@owlstronaut)
  • 5d82d0b #8469 ps1 scripts in powershell 5.1 (#8469) (@splatteredbits)

Dependencies

11.5.2 (2025-07-30)

Bug Fixes

  • 7d900c4 #8467 oidc visibility check for provenance (#8467) (@reggi, @wraithgar)

Documentation

  • d4e56b2 #8459 update snapshot generation command (#8459) (@MikeMcC399)

11.5.1 (2025-07-24)

Bug Fixes

  • 476bf17 #8457 provenance should only default for oidc (@reggi)

11.5.0 (2025-07-24)

Features

  • 1cce318 #8336 adds support for oidc publish (#8336) (@reggi)

Bug Fixes

  • 7f66f0a #8447 add better hint for before and clean up description (@wraithgar)
  • 280817a #8447 add --before param to command help output (@wraithgar)
  • 6e47325 #8441 Makes 404 errors less scary without revealing existence (#8441) (@owlstronaut)
  • 0a97ffd #8429 handle signal exits gracefully (@owlstronaut)
  • 5b858c6 #8411 ensure progress bars display consistently across all environments (#8411) (@owlstronaut)

Documentation

  • ef3529e #8435 add test snapshot (#8435) (@reggi, @wraithgar)
  • b7758d7 #8418 remove reference to Node.js download less common os (#8418) (@MikeMcC399)
  • 746ac5d #8380 remove duplicate info (#8380) (@alexsch01)
  • 4673e9c #8371 rebrand OS X references to macOS (@MikeMcC399)

Dependencies

Chores

11.4.2 (2025-06-11)

Bug Fixes

  • f2d6947 #8345 move warning to new line when npm init is canceled (@mbtools)
  • e758dd7 #8318 powershell: multiple Invoke-Expression fixes (#8318) (@alexsch01)

Documentation

  • 7233cb3 #8355 remove deprecated section related temp files (#8355) (@milaninfy)
  • fb7a498 #8351 clarify shell used for script (#8351) (@milaninfy)
  • 8b55d38 #8329 Rename "command" to "script" (#8329) (@DanKaplanSES)

Dependencies

Chores

11.4.1 (2025-05-21)

Documentation

  • 3ed764a #8308 Clarify script working directory behavior (fixes #8305) (#8308) (@tarekwfa0110, @owlstronaut)

Chores

  • 2f30251 #8314 remove references to skimdb.npmjs.com (#8314) (@shmam)
  • 9cb9d50 #8298 add contributor to changelog entry (#8298) (@wraithgar)

Dependencies

11.4.0 (2025-05-15)

Features

  • a0e60fb #8246 added init-private option (@owlstronaut)
  • 57aa89f #8265 use run by default and run-script as the alias (#8265) (@owlstronaut)
  • 0d4c023 #8234 install: add package info to json output (#8234) (@wraithgar)

Bug Fixes

  • 8794fd9 #8297 powershell: support pipeline input with Invoke-Expression (#8297) (@alexsch01)
  • b5173d1 #8293 docs: corrected github_path (#8293) (@xaos7991)
  • 2210d7a #8278 powershell: use Invoke-Expression to pass args (#8278) (@alexsch01, @mbtools)
  • 8669d09 #8228 add otplease for enable-2fa, disable-2fa, access (#8228) (@reggi, @wraithgar)
  • 78b5a6f #8269 correctly handle scenario where prefix is the cwd (#8269) (@owlstronaut, @ficocelliguy)
  • fdc3413 #8221 exec: Fails to Execute Binaries Named After Shell Keywords (#8221) (@13sfaith)
  • 4b08e2e #8245 docs: prepare script runs for local package links (@milaninfy)
  • 1622ac4 #8241 handle missing time in packument to prevent crash on npm view (@owlstronaut)
  • db8f5da #8110 outdated: add dependent location in long output (#8110) (@milaninfy, @wraithgar)

Documentation

  • d2498df #8295 Remove CHANGELOG from never-ignored list (#8295) (@mrazauskas)
  • 4d5c3c1 #8283 fix overrides example in package-json.md (#8283) (@glasser)
  • 96cc4f9 #8226 format publish as code to highlight it (@LiangYingC)
  • 4990ea0 #8226 clarify legacy token creation in npm login and adduser commands (@LiangYingC)

Dependencies

Chores

11.3.0 (2025-04-08)

Features

Bug Fixes

  • 2f5392a #8135 make npm run autocomplete work with workspaces (#8135) (@terrainvidia)

Documentation

  • 26b6454 fix grammar in local path note (@cgay)
  • 1c0e83d #7886 fix typo in package-json.md (#7886) (@stoneLeaf)
  • 14efa57 #8178 fix example package name in overrides explainer (#8178) (@G-Rath)
  • 4183cba #8162 logging: replace proceeding with preceding in loglevels details (#8162) (@tyleralbee)

Dependencies

Chores

11.2.0 (2025-03-05)

Features

Bug Fixes

  • 8461186 #8100 update npx cache if possible when spec is a range (@wraithgar)
  • e345cc5 #8050 don't suggest npm update outside of valid engine range (#8050) (@milaninfy)
  • 811ca29 #8115 stop working around bug fixed in npm-package-arg@12.0.2 (@TrevorBurnham)
  • 879303c #8078 warn on invalid publishConfig (#8078) (@wraithgar)
  • 41417de #8080 warn when TUF fetching of keys fails (#8080) (@wraithgar)
  • 593c849 #8076 warn on invalid single-hyphen cli flags (#8076) (@wraithgar)

Dependencies

Chores

11.1.0 (2025-01-29)

Features

  • 7f6c997 #8009 add dry-run to deprecate/undeprecate commands (@wraithgar)
  • 1764a37 #8009 add npm undeprecate command (@wraithgar)

Bug Fixes

  • 31455b2 #8054 publish: honor force for no dist tag and registry version check (#8054) (@reggi)
  • dc31c1b #8038 remove max-len linting bypasses (@wraithgar)
  • 8a911ff #8038 publish: disregard deprecated versions when calculating highest version (@wraithgar)
  • 7f72944 #8038 publish: accept publishConfig.tag to override highest semver check (@wraithgar)
  • ab9ddc0 #7992 sbom: deduplicate sbom dependencies (#7992) (@bdehamer)
  • f7da341 #7980 search: properly display multiple search terms (#7980) (@wraithgar)

Documentation

  • 3644e79 #8055 update readme for Node.js versions, remove badges (#8055) (@wraithgar)
  • f1af61f #8041 fix typos in "package-json" (#8041) (@maxkoryukov)
  • e90c6fe #8051 depth flag default value (#8051) (@milaninfy)
  • 866b5ee #8030 safer documentation urls, repos, packages (#8030) (@reggi)

Dependencies

Chores

  • 61f00e3 #8069 splits out smoke-tests from publish-dryrun tests (#8069) (@reggi)
  • 6d0f46e #8058 stop publish smoke from check git clean (#8058) (@reggi)
  • 9281ebf #8057 fix smoke tests prerelease needs separate string args (#8057) (@reggi)
  • aa202e9 #8056 smoke tests using a preid (#8056) (@reggi)
  • 18e0449 #8053 dev dependency updates (@wraithgar)
  • 859a71c #8052 update node versions for release integration tests (#8052) (@wraithgar)
  • 7e7961d #8038 bump @npmcli/eslint-config to 5.1.0 (@wraithgar)
  • workspace: @npmcli/config@10.0.1

11.0.0 (2024-12-16)

Documentation

  • 8a911da #7963 ls: removed design change pending section note (#7963) (@milaninfy)

Dependencies

Chores

11.0.0-pre.1 (2024-12-06)

⚠️ BREAKING CHANGES

  • Upon publishing, in order to apply a default "latest" dist tag, the command now retrieves all prior versions of the package. It will require that the version you're trying to publish is above the latest semver version in the registry, not including pre-release tags.
  • npm init now has a type prompt, and sorts the entries in created packages differently
  • bun.lockb files are now included in the strict ignore list during packing

Features

  • f3ac7b7 #7939 no implicit latest tag on publish when latest > version (#7939) (@reggi, @ljharb)

Bug Fixes

  • e362c6d #7944 prefix: remove duplicate -g from usage output (#7944) (@wraithgar)

Documentation

Dependencies

Chores

11.0.0-pre.0 (2024-11-26)

⚠️ BREAKING CHANGES

  • When publishing a package with a pre-release version, you must explicitly specify a tag.
  • --ignore-scripts now applies to all lifecycle scripts, include prepare
  • npm will no longer fall back to the old audit endpoint if the bulk advisory request fails.
  • npm will no longer switch to global mode if aliased to "npmg" or "npm-g" etc.
  • The npm hook command has been removed
  • Attestations made by this package will no longer validate in npm versions prior to 10.6.0
  • npm now supports node ^20.17.0 || >=22.9.0
  • @npmcli/docs now supports node ^20.17.0 || >=22.9.0

Features

Bug Fixes

  • 16b7367 #7910 publishing prerelease requires explicit tag (#7910) (@reggi)
  • e19bff0 #7901 perf: enable compile cache if present (#7901) (@H4ad)
  • 080a0f2 #7911 remove old audit fallback request (@wraithgar)
  • 780afc5 #7855 pkg: display if any of multiple attributes exist (#7855) (@Sanderovich)
  • ecd2d23 #7842 don't go into global mode if aliased to npmg (#7842) (@wraithgar)
  • 62c71e5 #7835 removes npm hook command (@reggi)
  • 7f541e8 #7815 make pack and exec work with git hash refs (#7815) (@milaninfy)
  • 3162620 #7831 sets node engine range to ^20.17.0 || >=22.9.0 (@reggi)
  • 4c8ba0a #7831 for @npmcli/docs sets node engine range to ^20.17.0 || >=22.9.0 (@reggi)
  • 70cd88d #7808 view: sort and truncate dist-tags (#7808) (@wraithgar)
  • 534ad77 #7795 remove unused parameters catch statements (#7795) (@btea)

Documentation

  • feb54f7 #7822 package.json: add libc field (#7822) (@wraithgar)

Dependencies

Chores

Edit this page on GitHub
5 contributorsgithub-actions[bot]jsorefwraithgarnlflukekarrys
Last edited by github-actions[bot] on May 20, 2026

Table of contents