chore: release 12.0.0-pre.0.0

[github-actions]

🤖 I have created a release beep boop

12.0.0-pre.0.0

12.0.0-pre.0.0 (2026-05-20)

⚠️ BREAKING CHANGES

• npm view --json now always returns an array.
• npm sbom --sbom-format=cyclonedx now reports the name field from each package's package.json instead of the on-disk directory name. The name, bom-ref, and purl of the root component and of aliased dependencies may change.
• npm no longer registers man pages with the system when installed globally. man npm-install will no longer work, but npm help install is unaffected.
• The npm pkg output is no longer forced to json. This means you can get single values without having to worry about wrapping of the values. It also outputs non-json content more similarly to npm view.
• npm shrinkwrap is removed, the shrinkwrap config alias is removed, and npm-shrinkwrap.json is no longer loaded or honored at the project root or from inside dependency tarballs. Rename project-root npm-shrinkwrap.json to package-lock.json; use bundleDependencies if you need to ship a locked dependency tree.
• The Twitter and Freenode profile fields have been removed from the npm registry. This means that users will no longer be able to set or view these fields in their npm profiles.
• npm will no longer attempt to resolve the path to node via whichnode. process.execPath is already set by Node to the resolved real path of the node binary, so the lookup was redundant. Scripts that expected npm to override process.execPath with a PATH-resolved (potentially symlinked) node path may be affected.
• the --json output of npm pack and npm publish have changed. They are now always consistent, and in the same format.
• the star, stars and unstar commands have been removed
• The npm adduser command has been removed. Create and manage user accounts on the npm website, and use npm login to authenticate on the command line.

Features

• 254809e #9201 npm stage (feat: npm stage #9201) (@reggi, @Copilot)
• cf94dbe #9248 add permissions support to trust commands (feat: add permissions support to trust commands #9248) (@reggi, @Copilot)
• e0f12f7 #9348 add allow-git/allow-file/allow-directory/allow-remote configs (@owlstronaut)
• 916cb4b #9287 add allow-directory, allow-file, and allow-remote (feat: add allow-directory, allow-file, and allow-remote #9287) (@wraithgar)
• 2e5dcad #9262 drop npm-shrinkwrap.json support (@owlstronaut)
• 2397196 #9265 Remove Twitter and Freenode profile fields (@owlstronaut)
• 738be10 #9196 remove star commands (feat: remove star commands #9196) (@wraithgar)
• db7c1f8 #9163 add u as alias for update command (feat: add u as alias for update command #9163) (@Ausoj)
• 45e44dd #9228 adds a backport script (@owlstronaut)

Bug Fixes

• 2a13550 #9380 key stage download --json output by package name (fix: key stage download --json output by package name #9380) (@reggi, @Copilot)
• ca585c8 #9368 allow min-release-age in npmrc to coexist with --before (@raazkhnl)
• f550eb4 #9348 refactor #failureNode, adjust tests and safety (@owlstronaut)
• 1f17566 #9348 allow-remote=none does not block registry tarballs (@owlstronaut)
• 70af7b3 #9327 remove settings (fix: remove settings #9327) (@owlstronaut)
• d623988 #9311 sbom: dedupe per-node dependsOn / relationships (fix(sbom): dedupe per-node dependsOn / relationships #9311) (@mikaelkristiansson)
• d36945d #9160 do not unwrap single-item arrays in --json output (@yetanotheraryan)
• faf7348 #9284 align CycloneDX SBOM component names with SPDX (fix!: align CycloneDX SBOM component names with SPDX #9284) (@cyphercodes, @cyphercodes)
• e20424b #9035 don't install man pages in system locations (@owlstronaut)
• 01d9acd #9269 pkg: output like npm view does, do not force json output (@wraithgar)
• 27567ab #9257 ignore intended error code (@owlstronaut)
• 4ef5b6e #9039 stop resolving node path via whichnode (@owlstronaut)
• 2e9b26e #9247 sync json output of pack and publish (fix: sync json output of pack and publish #9247) (@wraithgar)
• 7357d7f #9036 remove npm adduser command (@owlstronaut)

Documentation

• c97b39b #9363 add example to optionalDependencies section (docs: add example to optionalDependencies section #9363) (@verifizieren)
• 6704ab2 #9335 npm view with json outputs array docs update (docs: npm view with json outputs array docs update #9335) (@yetanotheraryan)

Dependencies

• d151521 #9382 [email protected]
• a77416e #9382 [email protected]
• b2717e4 #9382 [email protected]
• 1c4a796 #9382 [email protected]
• e36a4e3 #9382 [email protected]
• 91bd674 #9382 [email protected]
• 66c7ff1 #9382 [email protected]
• 514c71b #9382 [email protected]
• fbe1dd0 #9316 [email protected]
• af65766 #9316 [email protected]
• 37bd0c6 #9316 [email protected]
• 5af02ec #9270 [email protected]
• 799866f #9270 [email protected]
• 79d394e #9270 [email protected]
• 9669d31 #9207 @sigstore/[email protected]
• b09a5ac #9207 [email protected]
• 150231d #9207 [email protected]
• 413e0a0 #9207 [email protected]
• 6faa25e #9207 [email protected]
• 87bb9d0 #9207 [email protected]
• 2501dd8 #9207 [email protected]
• ccce5f6 #9207 [email protected]

Chores

• f502c4f #9382 dev dependency updates (@owlstronaut)
• 4259e57 #9316 dev dependency updates (@owlstronaut)
• d68bd36 #9317 add cli-triage team as codeowner (chore: add cli-triage team as codeowner #9317) (@owlstronaut)
• b9332e6 #9270 dev dependency updates (@owlstronaut)
• cc468a8 #9269 refactor tests (@wraithgar)
• 2ca36c4 #9261 fixed non-functional typos throughout the codebase (@opensourcezeal)
• 8131de4 #9239 add action permission for backport workflow (@owlstronaut)
• 6df5f91 #9232 backports can trigger CI (@owlstronaut)
• 07552f5 #9224 don't run npm update in CI (@owlstronaut)
• 05dbba5 #9195 enable prerelease mode (chore: enable prerelease mode #9195) (@wraithgar)
• workspace: @npmcli/[email protected]
• workspace: @npmcli/[email protected]
• workspace: [email protected]
• workspace: [email protected]
• workspace: [email protected]
• workspace: [email protected]
• workspace: [email protected]
• workspace: [email protected]

arborist: 10.0.0-pre.0.0

10.0.0-pre.0.0 (2026-05-20)

⚠️ BREAKING CHANGES

• npm shrinkwrap is removed, the shrinkwrap config alias is removed, and npm-shrinkwrap.json is no longer loaded or honored at the project root or from inside dependency tarballs. Rename project-root npm-shrinkwrap.json to package-lock.json; use bundleDependencies if you need to ship a locked dependency tree.

Features

• e0f12f7 #9348 add allow-git/allow-file/allow-directory/allow-remote configs (@owlstronaut)
• b8655c7 #9282 arborist: add lockfileString() for in-memory lockfile generation (@ljharb)
• 2e5dcad #9262 drop npm-shrinkwrap.json support (@owlstronaut)

Bug Fixes

• 822ce86 #9343 arborist: skip lockfile entries for optional deps with incomplete manifests (fix(arborist): skip lockfile entries for optional deps with incomplete manifests #9343) (@ecanturk, @owlstronaut)
• 2c9587e #9359 arborist: only forward Link overrides when a rule names a target dep (@manzoorwanijk)
• f550eb4 #9348 refactor #failureNode, adjust tests and safety (@owlstronaut)
• 1f17566 #9348 allow-remote=none does not block registry tarballs (@owlstronaut)
• 81793ae #9332 arborist: skip extraneous fsChildren in linked-strategy reify (@manzoorwanijk)
• 4c7f6ba #9330 arborist: prune removed-workspace entries from package-lock.json (@manzoorwanijk)
• 076551b #9309 arborist: clean up orphan top-level symlinks in linked strategy (fix(arborist): clean up orphan top-level symlinks in linked strategy #9309) (@manzoorwanijk)
• 32940e2 #9299 arborist: ignore hidden entries in global update (fix(arborist): ignore hidden entries in global update #9299) (@Grynn)
• 0629fbf #9283 prefer existing tree nodes for peerOptional deps ([BUG] 11.12.1 peerOptional dependencies marked extraneous and removed #9249) (fix: prefer existing tree nodes for peerOptional deps (#9249) #9283) (@everett1992)
• bc32d94 #9198 arborist: propagate overrides through Link nodes to targets (fix(arborist): propagate overrides through Link nodes to targets #9198) (@manzoorwanijk)
• 1ab20c8 #9235 arborist: fix infinite loop with bundledDependencies and overrides (fix(arborist): fix infinite loop with bundledDependencies and overrides #9235) (@everett1992)
• 0dc5585 #9167 arborist: handle npm link with install-strategy=linked (@manzoorwanijk)
• 1d058b0 #9221 arborist: do not install inert optional extraneous shared dependencies (fix(arborist): do not install inert optional extraneous shared dependencies #9221) (@lovell)
• dcad8ec #9206 pass _isRoot context where missing (fix: pass _isRoot context where missing #9206) (@wraithgar)

Chores

• b61281d #9349 change test wording to not collide with tap (chore: change test wording to not collide with tap #9349) (@owlstronaut)

config: 11.0.0-pre.0.0

11.0.0-pre.0.0 (2026-05-20)

⚠️ BREAKING CHANGES

• npm shrinkwrap is removed, the shrinkwrap config alias is removed, and npm-shrinkwrap.json is no longer loaded or honored at the project root or from inside dependency tarballs. Rename project-root npm-shrinkwrap.json to package-lock.json; use bundleDependencies if you need to ship a locked dependency tree.

Features

• 916cb4b #9287 add allow-directory, allow-file, and allow-remote (feat: add allow-directory, allow-file, and allow-remote #9287) (@wraithgar)
• 2e5dcad #9262 drop npm-shrinkwrap.json support (@owlstronaut)

Bug Fixes

• 18ebb0f #9368 min-release-age=0 doesn't filter, honor cross-source precedence (@owlstronaut)
• ca585c8 #9368 allow min-release-age in npmrc to coexist with --before (@raazkhnl)
• 6628d05 #9285 config: preserve min-release-age after flattening (@lawrence3699)

libnpmdiff: 8.1.6-pre.0.0

Dependencies

• workspace: @npmcli/[email protected]

libnpmexec: 10.2.6-pre.0.0

10.2.6-pre.0.0 (2026-05-20)

Bug Fixes

• e9b0157 #9255 libnpmexec: skip redundant reify for cached directory specs (fix(libnpmexec): skip redundant reify for cached directory specs #9255) (@manzoorwanijk)

Chores

• 2ca36c4 #9261 fixed non-functional typos throughout the codebase (@opensourcezeal)

Dependencies

• workspace: @npmcli/[email protected]

libnpmfund: 7.0.20-pre.0.0

Dependencies

• workspace: @npmcli/[email protected]

libnpmpack: 10.0.0-pre.0.0

10.0.0-pre.0.0 (2026-05-20)

⚠️ BREAKING CHANGES

• npm pack and npm publish now error when a package's overrides apply to one or more of its bundled packages (bundledDependencies / bundleDependencies). Defining both fields is still allowed as long as no override actually targets a bundled package. To resolve the error, remove the affected entries from either overrides or the bundle.

Bug Fixes

• b1965d6 #9271 refuse to pack when overrides apply to bundled packages (@owlstronaut)

Dependencies

• workspace: @npmcli/[email protected]

libnpmpublish: 11.2.0-pre.0.0

11.2.0-pre.0.0 (2026-05-20)

Features

• 254809e #9201 npm stage (feat: npm stage #9201) (@reggi, @Copilot)

Chores

• 40fcab4 #8991 @npmcli/[email protected] (@wraithgar)

libnpmversion: 9.0.0-pre.0.0

9.0.0-pre.0.0 (2026-05-20)

⚠️ BREAKING CHANGES

• npm shrinkwrap is removed, the shrinkwrap config alias is removed, and npm-shrinkwrap.json is no longer loaded or honored at the project root or from inside dependency tarballs. Rename project-root npm-shrinkwrap.json to package-lock.json; use bundleDependencies if you need to ship a locked dependency tree.

Features

• 2e5dcad #9262 drop npm-shrinkwrap.json support (@owlstronaut)

Chores

• 40fcab4 #8991 @npmcli/[email protected] (@wraithgar)

---

This PR was generated with Release Please. See documentation.

[github-actions]

Release Manager

Release workflow run: https://github.com/npm/cli/actions/runs/26187055045

Release Checklist for v12.0.0-pre.0.0

• 1. Checkout the release branch

  Ensure git status is not dirty on this branch after resetting deps. If it is, then something is probably wrong with the automated release process.

  gh pr checkout 9229 --force

  npm run resetdeps

  node scripts/git-dirty.js

• 2. Check CI status

  gh pr checks --watch

• 3. Log in to npm

  npm login sessions are short lived, so you will want to have a fresh one before you publish.

  npm login

• 4. Publish the CLI and workspaces

  Warning:
  This will publish all updated workspaces to latest, prerelease or backport depending on their version, and will publish the CLI with the dist-tag set to next-12.

  Note:
  The --test argument can optionally be omitted to run the publish process without running any tests locally.

  node scripts/publish.js --test

• 5. Optionally install and test [email protected] locally

  npm i -g [email protected]

  npm --version
  npm whoami
  npm help install
  # etc

• 6. Trigger docs.npmjs.com update

  gh workflow run update-cli.yml --repo npm/documentation

• 7. Approve and Merge release PR

  gh pr review --approve

  gh pr merge --rebase

  git checkout latest

  git fetch

  git reset --hard origin/latest

  node . run resetdeps

• 8. Wait For Release Tags

  Warning:
  The remaining steps all require the GitHub tags and releases to be created first. These are done once this PR has been labelled with autorelease: tagged.

  Release Please will run on the just merged release commit and create GitHub releases and tags for each package. The release bot will will comment on this PR when the releases and tags are created.

  Note:
  The release workflow also includes the Node integration tests which do not need to finish before continuing.

  You can watch the release workflow in your terminal with the following command:

  gh run watch `gh run list -R npm/cli -w release -b latest -L 1 --json databaseId -q ".[0].databaseId"`
  

• 9. Mark GitHub Release as latest

  Warning:
  You must wait for CI to create the release tags before running this step. These are done once this PR has been labelled with autorelease: tagged.

  Release Please will make GitHub Releases for the CLI and all workspaces, but GitHub has UI affordances for which release should appear as the "latest", which should always be the CLI. To mark the CLI release as latest run this command:

  gh release -R npm/cli edit v12.0.0-pre.0.0 --latest

• 10. Open nodejs/node PR to update npm

  Warning:
  You must wait for CI to create the release tags before running this step. These are done once this PR has been labelled with autorelease: tagged.

  Trigger the Create Node PR action. This will open a PR on nodejs/node to the main branch.

  First, sync our fork of node with the upstream source:

  gh repo sync npm/node --source nodejs/node --force

  Then, if we are opening a PR against the latest version of node:

  gh workflow run create-node-pr.yml -R npm/cli -f spec=next-12

  For backport releases, you must target the correct Node branch using -f branch=<NODE_MAJOR>. Make sure you are targeting the right Node major version for this npm version.

  For example, this will create a PR on nodejs/node to the v16.x-staging branch:

  gh workflow run create-node-pr.yml -R npm/cli -f spec=next-12 -f branch=16

• 11. Label and fast-track nodejs/node PR

  Note:
  This requires being a nodejs collaborator. This could be you!

  • Thumbs-up reaction on the Fast-track comment
  • Add an LGTM / Approval
  • Add request-ci label to get it running CI
  • Add commit-queue label once everything is green
  • For backport releases, comment on the PR asking the Node.js team to add dont-land-on-v<NODE_MAJOR> labels for Node versions where this npm version should not be included

[github-actions]

🤖 Created releases:

• v12.0.0-pre.0.0
• arborist-v10.0.0-pre.0.0
• config-v11.0.0-pre.0.0
• libnpmdiff-v8.1.6-pre.0.0
• libnpmexec-v10.2.6-pre.0.0
• libnpmfund-v7.0.20-pre.0.0
• libnpmpack-v10.0.0-pre.0.0
• libnpmpublish-v11.2.0-pre.0.0
• libnpmversion-v9.0.0-pre.0.0

🌻

[github-actions]

Release Workflow

• [email protected] https://github.com/npm/cli/releases/tag/v12.0.0-pre.0.0
• @npmcli/[email protected] https://github.com/npm/cli/releases/tag/arborist-v10.0.0-pre.0.0
• @npmcli/[email protected] https://github.com/npm/cli/releases/tag/config-v11.0.0-pre.0.0
• [email protected] https://github.com/npm/cli/releases/tag/libnpmdiff-v8.1.6-pre.0.0
• [email protected] https://github.com/npm/cli/releases/tag/libnpmexec-v10.2.6-pre.0.0
• [email protected] https://github.com/npm/cli/releases/tag/libnpmfund-v7.0.20-pre.0.0
• [email protected] https://github.com/npm/cli/releases/tag/libnpmpack-v10.0.0-pre.0.0
• [email protected] https://github.com/npm/cli/releases/tag/libnpmpublish-v11.2.0-pre.0.0
• [email protected] https://github.com/npm/cli/releases/tag/libnpmversion-v9.0.0-pre.0.0
• Workflow run: ❌ https://github.com/npm/cli/actions/runs/26189045163

🚨🚨🚨

@npm/cli-team: The post-release workflow failed for this release. Manual steps may need to be taken after examining the workflow output.

🚨🚨🚨