10.0.0-pre.0.0 (2026-05-20)
⚠️ BREAKING CHANGES
npm shrinkwrapis removed, theshrinkwrapconfig alias is removed, andnpm-shrinkwrap.jsonis no longer loaded or honored at the project root or from inside dependency tarballs. Rename project-rootnpm-shrinkwrap.jsontopackage-lock.json; usebundleDependenciesif you need to ship a locked dependency tree.
Features
e0f12f7#9348 add allow-git/allow-file/allow-directory/allow-remote configs (@owlstronaut)b8655c7#9282 arborist: add lockfileString() for in-memory lockfile generation (@ljharb)2e5dcad#9262 drop npm-shrinkwrap.json support (@owlstronaut)
Bug Fixes
822ce86#9343 arborist: skip lockfile entries for optional deps with incomplete manifests (#9343) (@ecanturk, @owlstronaut)2c9587e#9359 arborist: only forward Link overrides when a rule names a target dep (@manzoorwanijk)f550eb4#9348 refactor #failureNode, adjust tests and safety (@owlstronaut)1f17566#9348 allow-remote=none does not block registry tarballs (@owlstronaut)81793ae#9332 arborist: skip extraneous fsChildren in linked-strategy reify (@manzoorwanijk)4c7f6ba#9330 arborist: prune removed-workspace entries from package-lock.json (@manzoorwanijk)076551b#9309 arborist: clean up orphan top-level symlinks in linked strategy (#9309) (@manzoorwanijk)32940e2#9299 arborist: ignore hidden entries in global update (#9299) (@Grynn)0629fbf#9283 prefer existing tree nodes for peerOptional deps (#9249) (#9283) (@everett1992)bc32d94#9198 arborist: propagate overrides through Link nodes to targets (#9198) (@manzoorwanijk)1ab20c8#9235 arborist: fix infinite loop with bundledDependencies and overrides (#9235) (@everett1992)0dc5585#9167 arborist: handlenpm linkwith install-strategy=linked (@manzoorwanijk)1d058b0#9221 arborist: do not install inert optional extraneous shared dependencies (#9221) (@lovell)dcad8ec#9206 pass _isRoot context where missing (#9206) (@wraithgar)
Chores
b61281d#9349 change test wording to not collide with tap (#9349) (@owlstronaut)