npm/cli v12.0.0-pre.1

on GitHub

12.0.0-pre.1 (2026-06-19)

⚠️ BREAKING CHANGES

• Preserve https protocol when working with git (#8703)
• The default license for npm init has been changed from "ISC" to an empty string. If not set, the license field will be omitted from new packages.
• npm now supports node ^22.22.2 || ^24.15.0 || >=26.0.0
• allow-git and allow-remote now default to "none"; set them to "all" (or "root") to install git or user-supplied tarball-URL dependencies.
• root `preinstall` now runs before dependencies are installed.
• unknown configs in .npmrc, unknown CLI flags, abbreviated flags, and single-hyphen multi-char shorthands now throw instead of warning.

Features

• ce7681f #9496 packageExtensions for root-owned dependency manifest repairs (#9496) (@manzoorwanijk)
• 1db885c #9439 native dependency patching (npm patch add/commit/update/ls/rm) (#9439) (@manzoorwanijk)
• fc80bb3 #9234 remove default license for npm init (@owlstronaut)
• be8053c #9544 warn when min-release-age blocks an audit fix (#9544) (@JamieMagee)
• 18eb967 #9559 bump to new node engine range (@owlstronaut)
• c3e1a71 #9532 add min-release-age-exclude config (@JamieMagee, @caseyjhol)
• 5cd5150 #9424 default-deny install scripts (allowScripts opt-in) [v12] (@JamieMagee)
• 64e3f79 #9480 allowScripts tooling and inBundle hardening (#9480) (@JamieMagee)
• caa3295 #9466 default allow-git and allow-remote to none (@owlstronaut)
• f2e4a28 #9351 add a global npmignore file (#9351) (@ljharb)
• c9be2d1 #9153 publish --access=private alias for restricted (#9153) (@reggi, @Copilot)
• 7068d42 #9360 Phase 1 of allowScripts opt-in install-script policy (#9360) (@JamieMagee)
• 979518d #9276 error on unknown configs, flags, and abbreviations (#9276) (@owlstronaut)

Bug Fixes

• e96a7de #8703 Preserve https protocol when working with git (#8703) (@oldium)
• a847d28 #9575 patch: warn when patch update --to targets an uninstalled version (#9575) (@manzoorwanijk)
• 62b0694 #9576 patch: explain out-of-sync lockfile after --ignore-patch-failures (#9576) (@manzoorwanijk)
• 5ddf6cc #9567 patch: keep the update marker on a no-op commit so a retry finalizes (#9567) (@manzoorwanijk)
• fc3ef5a #9559 adapt to @npmcli/run-script@11 breaking changes (@owlstronaut)
• abf78b3 #9540 match dotted and versioned args in approve-scripts/deny-scripts (@owlstronaut)
• f6270d1 #9531 emit valid JSON from approve-scripts/deny-scripts --json (@owlstronaut)
• 0e55f97 #9492 pass script-shell to publish lifecycle hooks (@Zelys-DFKH)
• 2cbb13b #9490 recognize allowScripts for local link targets (#9490) (@cyphercodes, @cyphercodes)
• bf623e0 #9473 validate registry path for allow-remote tarballs (@Abhinav-143x)
• 6be874b #9479 list pending scripts in approve-scripts when ignore-scripts is set (#9479) (@JamieMagee)
• 6603b2c #9469 suggest --allow-scripts for global installs in unreviewed-scripts warnings (#9469) (@JamieMagee)
• fe820b6 #9442 invalid issue template YAML indentation (#9442) (@fallintoplace)
• fe41ae7 #9404 show full parent command path in subcommand usage errors (#9404) (@shaanmajid)
• 75bf7de #9456 respect allowScripts policy in prune, dedupe, uninstall, audit fix, and link (@JamieMagee)
• 6efac6e #9453 config: clarify --all help so it's accurate for approve-scripts and deny-scripts (@JamieMagee)
• b97edc0 #9430 audit: don't apply min-release-age before filter when verifying installed signatures (@JamieMagee)
• 080e3b2 #9425 block forbidden keys in Queryable setter to prevent prototype pollution (@12122J, @claude)
• c5292fa #9422 use prerelease strategy without a bug (@owlstronaut)
• 33aebaa #9410 fix typo of fullMetadata (@owlstronaut)
• 2a03860 #9267 run root preinstall before reify (@owlstronaut)
• c0fc549 #9372 config: pause progress spinner during interactive editor spawn (#9372) (@Zelys-DFKH, @claude)

Documentation

• 357e8cd #9520 approve-scripts only throws EGLOBAL when run with -g (@JamieMagee)
• bcf01c6 #9505 clarify package.json override value specs (#9505) (@ded-furby)
• 455aa4a #9401 use the latest version for global update and outdated's wanted (#9401) (@liangmiQwQ)
• aac80dc #9470 update minimum npm required for npm trust (@meeech)
• d124c08 #9385 Document npm_old_version and npm_new_version environment variables (#9385) (@36degrees)

Dependencies

• 9cbba72 #9579 npm-profile@13.0.1
• d4e0a70 #9559 @tufjs/repo-mock@5.0.0
• 3ef66bb #9559 bundle arborist runtime deps for bootstrap
• 5dce6fb #9559 npm-packlist@11.2.0
• ad05528 #9559 @npmcli/git@8.0.0
• cc45055 #9559 @npmcli/node-gyp@6.0.0
• a12e2c8 #9559 @npmcli/name-from-folder@5.0.0
• cc96d57 #9559 @npmcli/installed-package-contents@5.0.0
• 3dc18e5 #9559 @npmcli/git@8.0.0
• 428afa6 #9559 sigstore@5.0.0
• 95ed19c #9559 regenerate bundled dependencies
• b62db95 #9559 bin-links@7.0.0
• 2f5da83 #9559 @npmcli/fs@6.0.0
• 370f9c6 #9559 node-gyp@13.0.0
• e459d7a #9559 which@7.0.0
• 5032af3 #9559 validate-npm-package-name@8.0.0
• 13d97ac #9559 tar@7.5.16
• 1502286 #9559 ssri@14.0.0
• 68eb39c #9559 semver@7.8.4
• 3484d7f #9559 read@6.0.0
• 21df0ab #9559 proc-log@7.0.0
• 8f85646 #9559 parse-conflict-json@6.0.0
• a44c1cf #9559 pacote@22.0.0
• 171bba3 #9559 npm-user-validate@5.0.0
• 1f9c567 #9559 npm-registry-fetch@20.0.1
• 1fd247a #9559 npm-profile@13.0.0
• 998ff1d #9559 npm-pick-manifest@12.0.0
• d80859a #9559 npm-package-arg@14.0.0
• 5e1d513 #9559 npm-install-checks@9.0.0
• faf97e5 #9559 npm-audit-report@8.0.0
• 471309f #9559 nopt@10.0.1
• 40395b8 #9559 make-fetch-happen@16.0.1
• 30e89d9 #9559 json-parse-even-better-errors@6.0.0
• d44db96 #9559 is-cidr@7.0.0
• 350fb18 #9559 init-package-json@9.0.0
• 406820a #9559 ini@7.0.0
• d867351 #9559 hosted-git-info@10.1.1
• 66d46bc #9559 cacache@21.0.1
• 0d15aec #9559 abbrev@5.0.0
• 9bbdefb #9559 @sigstore/tuf@5.0.0
• 9d13ebf #9559 @npmcli/run-script@11.0.0
• 27c4dcc #9559 @npmcli/redact@5.0.0
• f0eaef3 #9559 @npmcli/promise-spawn@10.0.0
• 0be6ae2 #9559 @npmcli/package-json@8.0.0
• f86a019 #9559 @npmcli/metavuln-calculator@10.0.0
• 4d234b2 #9559 @npmcli/map-workspaces@6.0.0
• d28783e #9420 undici@6.26.0
• 7f6c6ef #9420 sigstore@4.1.1
• ee61b6e #9420 lru-cache@11.5.1
• d5ddef2 #9420 @sigstore/verify@3.1.1
• 11e7ac7 #9420 @sigstore/core@3.2.1
• 11cd66e #9420 @npmcli/agent@4.0.2
• 8be4c04 #9420 semver@7.8.1
• 577d61d #9420 make-fetch-happen@15.0.6

Chores

• 059c06e #9560 add web-login proxy doneUrl regression for npm-profile fix (#9560) (@manzoorwanijk)
• 1453954 #9559 nock@14.0.0 (@owlstronaut)
• 0323f2d #9559 template-oss-apply (@owlstronaut)
• ee3d87f #9559 @npmcli/template-oss@5.1.1 (@owlstronaut)
• d25a179 #9559 template-oss-apply (@owlstronaut)
• acdd6d5 #9559 bumping @npmcli/template-oss from 4.29.0 to 5.1.0 (@owlstronaut)
• 4e2496a #9513 update issue templates - better language (@owlstronaut)
• 7a997ac #9512 update issue templates (#9512) (@owlstronaut)
• da63c79 #9420 dev dependency updates (@owlstronaut)
• 5fc9bc0 #9393 sanitize newlines in flags table default and type values (#9393) (@reggi, @Copilot)
• workspace: @npmcli/arborist@10.0.0-pre.1
• workspace: @npmcli/config@11.0.0-pre.1
• workspace: libnpmaccess@11.0.0-pre.0
• workspace: libnpmdiff@9.0.0-pre.0
• workspace: libnpmexec@11.0.0-pre.0
• workspace: libnpmfund@8.0.0-pre.0
• workspace: libnpmorg@9.0.0-pre.0
• workspace: libnpmpack@10.0.0-pre.1
• workspace: libnpmpublish@12.0.0-pre.0
• workspace: libnpmsearch@10.0.0-pre.0
• workspace: libnpmteam@9.0.0-pre.0
• workspace: libnpmversion@9.0.0-pre.1