[pull] latest from npm:latest

.commitlintrc.js

@@ -7,5 +7,6 @@ module.exports = {
     'header-max-length': [2, 'always', 80],
     'subject-case': [0],
     'body-max-line-length': [0],
+    'footer-max-line-length': [0],
   },
 }

.eslintrc.js

@@ -12,6 +12,8 @@ module.exports = {
   root: true,
   ignorePatterns: [
     'tap-testdir*/',
+    '/node_modules/.bin/',
+    '/node_modules/.cache/',
     'docs/**',
     'smoke-tests/**',
     'mock-globals/**',

.gitattributes

@@ -16,7 +16,9 @@
 /node_modules/.gitignore text eol=lf
 /workspaces/arborist/test/fixtures/.gitignore text eol=lf
 /DEPENDENCIES.md text eol=lf
+/DEPENDENCIES.json text eol=lf
 /AUTHORS text eol=lf
+/docs/lib/content/nav.yml text eol=lf
 
 # fixture tarballs should be treated as binary
 /workspaces/*/test/fixtures/**/*.tgz binary

.github/CODEOWNERS

@@ -1,3 +1,3 @@
 # This file is automatically added by @npmcli/template-oss. Do not edit.
 
-* @npm/cli-team
+* @npm/cli-team @npm/cli-triage

.github/ISSUE_TEMPLATE/bug.yml

@@ -17,6 +17,13 @@ body:
     options:
     - label: I am using the latest npm
       required: true
+- type: checkboxes
+  attributes:
+    label: This is not just a request to bump a dependency for a CVE
+    description: npm bundles its dependencies and updates them on a regular cadence, so CVEs in our bundled dependencies are picked up automatically. Issues opened solely to request a dependency bump for a CVE will be closed. To report an actual vulnerability in npm, please follow our [security policy](https://github.com/npm/cli/blob/latest/SECURITY.md) instead.
+    options:
+    - label: This is not solely a request to bump a dependency for a CVE
+      required: true
 - type: textarea
   attributes:
     label: Current Behavior

.github/ISSUE_TEMPLATE/config.yml

@@ -1,5 +1,8 @@
 blank_issues_enabled: true
 contact_links:
+  - name: 🔒 Dependency CVE / security advisory in a bundled dependency
+    url: https://github.com/npm/cli/blob/latest/SECURITY.md
+    about: npm bundles its dependencies and updates them regularly, so CVEs in our bundled dependencies are picked up automatically. Please don't open an issue just to request a dependency bump for a CVE. To report a vulnerability in npm, see our security policy.
   - name: ❓ Help with issues in older versions of the CLI
     url: https://github.community/c/software-development/47
     about: Find/file tickets with the community
@@ -18,6 +21,6 @@ contact_links:
   - name: 📫 Support
     url: https://github.community/
     about: For general support questions please open a topic over at github.community
-   - name: 🚑 Support Policy
+  - name: 🚑 Support Policy
     url: https://github.com/npm/cli/wiki/Support-Policy
     about: Information about what version(s) of the CLI we support

.github/actions/create-check/action.yml

@@ -25,7 +25,7 @@ runs:
       with:
         result-encoding: string
         script: |
-          const { repo: { owner, repo}, runId, serverUrl } = context          
+          const { repo: { owner, repo}, runId, serverUrl } = context
           const { JOB_NAME, SHA } = process.env
 
           const job = await github.rest.actions.listJobsForWorkflowRun({

.github/actions/install-latest-npm/action.yml

@@ -44,7 +44,7 @@ runs:
             MATCH=$SPEC
             echo "Found compatible version: npm@$MATCH"
             break
-          fi  
+          fi
         done
 
         if [ -z $MATCH ]; then

.github/workflows/audit.yml

@@ -8,6 +8,9 @@ on:
     # "At 08:00 UTC (01:00 PT) on Monday" https://crontab.guru/#0_8_*_*_1
     - cron: "0 8 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   audit:
     name: Audit Dependencies
@@ -18,17 +21,17 @@ jobs:
         shell: bash
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       - name: Setup Git User
         run: |
           git config --global user.email "[email protected]"
           git config --global user.name "npm CLI robot"
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         id: node
         with:
-          node-version: 22.x
-          check-latest: contains('22.x', '.x')
+          node-version: 26.x
+          check-latest: contains('26.x', '.x')
           cache: npm
       - name: Check Git Status
         run: node scripts/git-dirty.js

.github/workflows/backport.yml

@@ -0,0 +1,97 @@
+name: Backport
+
+on:
+  pull_request_target:
+    types: [closed, labeled]
+  # TODO: Remove before merging — manual trigger for testing from any branch
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: 'Merged PR number to test backporting'
+        required: true
+        type: number
+
+permissions:
+  actions: write
+  contents: write
+  pull-requests: write
+
+jobs:
+  backport:
+    name: Backport
+    runs-on: ubuntu-latest
+    # Run when a labeled PR is merged, or when a backport label is added to an already-merged PR.
+    # Uses pull_request_target so the token has write access even for PRs from forks.
+    if: >-
+      github.repository_owner == 'npm' &&
+      github.event.pull_request.merged == true &&
+      (
+        (github.event.action == 'closed' &&
+         contains(join(github.event.pull_request.labels.*.name, ','), 'backport:'))
+        ||
+        (github.event.action == 'labeled' &&
+         startsWith(github.event.label.name, 'backport:'))
+      )
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - name: Setup Git User
+        run: |
+          git config --global user.email "[email protected]"
+          git config --global user.name "npm CLI robot"
+      - name: Create Backports
+        uses: actions/github-script@v7
+        env:
+          MERGE_COMMIT_SHA: ${{ github.event.pull_request.merge_commit_sha }}
+        with:
+          script: |
+            const backport = require('./scripts/backport.js')
+            await backport({ github, context, core })
+
+  # TODO: Remove before merging — manual test job
+  backport-test:
+    name: Backport (Test)
+    if: github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - name: Setup Git User
+        run: |
+          git config --global user.email "[email protected]"
+          git config --global user.name "npm CLI robot"
+      - name: Create Backports
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const { data: pr } = await github.rest.pulls.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: ${{ inputs.pr_number }},
+            })
+
+            if (!pr.merged) {
+              return core.setFailed('PR #${{ inputs.pr_number }} is not merged')
+            }
+
+            process.env.MERGE_COMMIT_SHA = pr.merge_commit_sha
+
+            const backport = require('./scripts/backport.js')
+            await backport({
+              github,
+              core,
+              context: {
+                ...context,
+                payload: { action: 'closed', pull_request: pr },
+              },
+            })

.github/workflows/ci-libnpmaccess.yml

@@ -17,6 +17,9 @@ on:
     # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1
     - cron: "0 9 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint
@@ -27,30 +30,26 @@ jobs:
         shell: bash
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       - name: Setup Git User
         run: |
           git config --global user.email "[email protected]"
           git config --global user.name "npm CLI robot"
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         id: node
         with:
-          node-version: 22.x
-          check-latest: contains('22.x', '.x')
+          node-version: 26.x
+          check-latest: contains('26.x', '.x')
           cache: npm
-      - name: Install Latest npm
-        uses: ./.github/actions/install-latest-npm
-        with:
-          node: ${{ steps.node.outputs.node-version }}
       - name: Check Git Status
         run: node scripts/git-dirty.js
       - name: Reset Deps
         run: node scripts/resetdeps.js
       - name: Lint
-        run: npm run lint --ignore-scripts -w libnpmaccess
+        run: npm run lint --ignore-scripts --workspace libnpmaccess
       - name: Post Lint
-        run: npm run postlint --ignore-scripts -w libnpmaccess
+        run: npm run postlint --ignore-scripts --workspace libnpmaccess
 
   test:
     name: Test - ${{ matrix.platform.name }} - ${{ matrix.node-version }}
@@ -66,60 +65,56 @@ jobs:
             os: macos-latest
             shell: bash
           - name: macOS
-            os: macos-13
+            os: macos-15-intel
             shell: bash
           - name: Windows
             os: windows-latest
             shell: cmd
         node-version:
-          - 16.14.0
-          - 16.x
-          - 18.0.0
-          - 18.x
-          - 20.x
+          - 22.22.2
           - 22.x
+          - 24.15.0
+          - 24.x
+          - 26.0.0
+          - 26.x
         exclude:
-          - platform: { name: macOS, os: macos-13, shell: bash }
-            node-version: 16.14.0
-          - platform: { name: macOS, os: macos-13, shell: bash }
-            node-version: 16.x
-          - platform: { name: macOS, os: macos-13, shell: bash }
-            node-version: 18.0.0
-          - platform: { name: macOS, os: macos-13, shell: bash }
-            node-version: 18.x
-          - platform: { name: macOS, os: macos-13, shell: bash }
-            node-version: 20.x
-          - platform: { name: macOS, os: macos-13, shell: bash }
+          - platform: { name: macOS, os: macos-15-intel, shell: bash }
+            node-version: 22.22.2
+          - platform: { name: macOS, os: macos-15-intel, shell: bash }
             node-version: 22.x
+          - platform: { name: macOS, os: macos-15-intel, shell: bash }
+            node-version: 24.15.0
+          - platform: { name: macOS, os: macos-15-intel, shell: bash }
+            node-version: 24.x
+          - platform: { name: macOS, os: macos-15-intel, shell: bash }
+            node-version: 26.0.0
+          - platform: { name: macOS, os: macos-15-intel, shell: bash }
+            node-version: 26.x
     runs-on: ${{ matrix.platform.os }}
     defaults:
       run:
         shell: ${{ matrix.platform.shell }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       - name: Setup Git User
         run: |
           git config --global user.email "[email protected]"
           git config --global user.name "npm CLI robot"
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         id: node
         with:
           node-version: ${{ matrix.node-version }}
           check-latest: contains(matrix.node-version, '.x')
           cache: npm
-      - name: Install Latest npm
-        uses: ./.github/actions/install-latest-npm
-        with:
-          node: ${{ steps.node.outputs.node-version }}
       - name: Check Git Status
         run: node scripts/git-dirty.js
       - name: Reset Deps
         run: node scripts/resetdeps.js
       - name: Add Problem Matcher
         run: echo "::add-matcher::.github/matchers/tap.json"
       - name: Test
-        run: npm test --ignore-scripts -w libnpmaccess
+        run: npm test --ignore-scripts --workspace libnpmaccess
       - name: Check Git Status
         run: node scripts/git-dirty.js