libnpmaccess

libnpmaccess is a Node.js library that provides programmatic access to the guts of the npm CLI's npm access command. This includes managing account mfa settings, listing packages and permissions, looking at package collaborators, and defining package permissions for users, orgs, and teams.

Example

const access = require('libnpmaccess')
const opts = { '//registry.npmjs.org/:_authToken: 'npm_token }

// List all packages @zkat has access to on the npm registry.
console.log(Object.keys(await access.getPackages('zkat', opts)))

API

opts for all libnpmaccess commands

libnpmaccess uses npm-registry-fetch.

All options are passed through directly to that library, so please refer to its own opts documentation for options that can be passed in.

spec parameter for all libnpmaccess commands

spec must be an npm-package-arg-compatible registry spec.

access.getCollaborators(spec, opts) -> Promise<Object>

Gets collaborators for a given package

access.getPackages(user|scope|team, opts) -> Promise<Object>

Gets all packages for a given user, scope, or team.

Teams should be in the format scope:team or @scope:team

Users and scopes can be in the format @scope or scope

access.getVisibility(spec, opts) -> Promise<Object>

Gets the visibility of a given package

access.removePermissions(team, spec, opts) -> Promise<Boolean>

Removes the access for a given team to a package.

Teams should be in the format scope:team or @scope:team

access.setAccess(package, access, opts) -> Promise<Boolean>

Sets access level for package described by spec.

The npm registry accepts the following access levels:

• public: package is public
• private: package is private

The npm registry also only allows scoped packages to have their access level set.

access.setMfa(spec, level, opts) -> Promise<Boolean>`

Sets the publishing mfa requirements for a given package. Level must be one of the following:

• none: mfa is not required to publish this package.
• publish: mfa is required to publish this package, automation tokens cannot be used to publish.
• automation: mfa is required to publish this package, automation tokens may also be used for publishing from continuous integration workflows.

access.setPermissions(team, spec, permissions, opts) -> Promise<Boolean>`

Sets permissions levels for a given team to a package.

Teams should be in the format scope:team or @scope:team

The npm registry accepts the following permissions:

• read-only: Read only permissions
• read-write: Read and write (aka publish) permissions

Changelog

11.6.2 (2025-10-08)

Bug Fixes

• c54d1e9 #8633 progress bar code cleanup (#8633) (@wraithgar)
• d352e27 #8629 do not redact notice logs going to stdout (#8629) (@wraithgar)
• 5ac3678 #8617 spelling in ./lib and ./test/lib (#8617) (@jsoref)
• 9197995 #8619 spelling (#8619) (@jsoref)
• dd884e3 #8618 spelling (#8618) (@jsoref)
• f6028e6 #8614 skip redacting urls meant for opening by the user (#8614) (@wraithgar, @jolyndenning)
• 54fd27f #8602 refactor node.ideallyInert to node.inert (#8602) (@liamcmitchell)
• 79e3c1e #8593 use @npmcli/package-json to normalize package data (@wraithgar)

  Documentation

• 0469c5e #8639 rewrap markdown (#8639) (@jsoref)
• 9ceb9c1 #8636 rewrap markdown (#8636) (@jsoref)
• 6324370 #8616 fix spelling (#8616) (@jsoref)
• 1b0429a #8607 Fix spelling (#8607) (@jsoref)
• 7fbe07a #8603 clean up deprecated npm access commands (#8603) (@jsoref)

  Dependencies

• fa7cc6f #8662 `ci-info@4.3.1` (#8662)
• b05461b #8663 @sigstore/sign@4.0.1 (#8663)
• c31de22 #8661 downgrade ci-info to 4.3.0 (#8661) (@wraithgar)
• c5191b5 #8659 `ci-info@4.3.1`
• f255c92 #8659 `hosted-git-info@9.0.2`
• bdaf323 #8659 `is-cidr@6.0.1`
• a33f106 #8659 `lru-cache@11.2.2`
• 8044e07 #8659 `npm-package-arg@13.0.1`
• f577504 #8659 `npm-packlist@10.0.2`
• 9aa4fa6 #8659 `semver@7.7.3`
• fe9484a #8593 remove normalize-package-data

  Chores

• b3409f4 #8659 dev dependency updates (@wraithgar)
• e8de81b #8643 Add automatically generated annotation to dependencies.md (#8643) (@jsoref)
• 67cfaf3 #8627 fix spelling: different (#8627) (@jsoref)
• 17ddc0d #8622 fix spelling (#8622) (@jsoref)
• c3e1790 #8605 Remove reference to nonexistent calendar (#8605) (@jsoref)
• ac9143e #8604 Improve link accessibility for screen reader users (#8604) (@jsoref)
• 62d73e7 #8601 remove references to benchmarks workflow (#8601) (@jsoref)
• bb4b739 #8598 remove stale comment (#8598) (@jsoref)
• f73e65d #8592 fix build url code for remark-github@12 (#8592) (@wraithgar)
• workspace: @npmcli/arborist@9.1.6
• workspace: @npmcli/config@10.4.2
• workspace: `libnpmaccess@10.0.3`
• workspace: `libnpmdiff@8.0.9`
• workspace: `libnpmexec@10.1.8`
• workspace: `libnpmfund@7.0.9`
• workspace: `libnpmpack@9.0.9`
• workspace: `libnpmpublish@11.1.2`

11.6.1 (2025-09-23)

Bug Fixes

• d389614 #8579 corrects peer dependency flag propagation (@owlstronaut)
• 5db81c3 #8512 allow concurrent non-local npx calls (#8512) (@jenseng, @wraithgar)

  Documentation

• 7a09902 #8582 bring back certfile (#8582) (@jenseng)

  Dependencies

• 849dcb6 #8589 `tar@7.5.1` (#8589)
• ea15731 #8576 `binary-extensions@3.1.0`
• 0f41bac #8576 `tiny-relative-date@2.0.2`
• 07bf540 #8576 `is-cidr@6.0.0`
• ef87ec6 #8576 `diff@8.0.2`
• 48285e0 #8576 add fdir, isexe, and picomatch to node_modules
• 099238a #8576 `fdir@6.5.0`
• 6e4d673 #8576 `isexe@3.1.1`
• 09a7494 #8576 `supports-color@10.2.2`
• c5157c9 #8576 `chalk@5.6.2`
• 46035db #8576 `debug@4.4.3`
• 5f6664b #8576 `spdx-license-ids@3.0.22`
• 5516583 #8576 `socks@2.8.7`
• 6a392f3 #8576 `tinyglobby@0.2.15`
• 9519f18 #8576 `npm-install-checks@7.1.2`
• 34bafd1 #8576 `node-gyp@11.4.2`
• dfd034e #8576 @npmcli/promise-spawn@8.0.3
• d4eef14 #8576 `rimraf@6.0.1`
• 566f1b7 #8576 `minimatch@10.0.3`
• ac33497 #8576 `mkdirp@3.0.1`
• 1676626 #8576 `glob@11.0.3`
• 817f0b1 #8576 `ignore-walk@8.0.0`
• 79a4e67 #8576 `minizlib@3.0.2`
• 38fa2c2 #8576 `negotiator@1.0.0`
• 24252a1 #8576 @npmcli/agent@4.0.0
• ea7ca5f #8576 `lru-cache@11.2.1`
• 521823b #8576 @npmcli/git@7.0.0
• bf6b686 #8576 `npm-package-arg@13.0.0`
• 9392488 #8576 `npm-package-manifest@11.0.1`
• 0082083 #8576 `normalize-package-data@8.0.0`
• 633c4ed #8576 `hosted-git-info@9.0.0`
• 66f64eb #8576 `make-fetch-happen@15.0.2`
• 1f85f94 #8576 @sigstore/tuf@4.0.0
• a2bdecc #8576 `sigstore@4.0.0`
• 1149971 #8576 `npm-registry-fetch@19.0.0`
• b5bd5e3 #8576 `npm-profile@12.0.0`
• 6221e27 #8576 @npmcli/metavuln-calculator@9.0.2
• da81a37 #8576 `cacache@20.0.1`
• 6b4c5f9 #8576 @npmcli/run-script@10.0.0
• cb36a8a #8576 `init-package-json@8.2.2`
• b6bb9ae #8576 `pacote@21.0.3`
• 1b4433f #8576 @npmcli/map-workspaces@5.0.0
• ceae674 #8576 @npmcli/package-json@7.0.1
• 4f37534 #8576 remove read-package-json-fast

  Chores

• 7eb5c09 #8576 update package-lock with peer flag fixes (@wraithgar)
• 0d00fd8 #8576 `jsdom@27.0.0` (@wraithgar)
• 420a569 #8576 `unified@11.0.5` (@wraithgar)
• 064deb3 #8576 `remark-rehype@11.1.2` (@wraithgar)
• 30fe3ba #8576 `remark-man@9.0.0` (@wraithgar)
• 1c6bb4c #8576 `rehype-stringify@10.0.1` (@wraithgar)
• 208cb93 #8576 `remark-gfm@4.0.1` (@wraithgar)
• 4a46b5a #8576 `remark-github@12.0.0` (@wraithgar)
• 93d190b #8576 `remark-parse@11.0.0` (@wraithgar)
• 05301a4 #8576 `remark@15.0.1` (@wraithgar)
• 6afdda9 #8576 `ajv-formats@3.0.1` (@wraithgar)
• 402a0ab #8576 @npmcli/template-oss@4.25.1 (@wraithgar)
• 3b43bf7 #8576 dev dependency updates (@wraithgar)
• 9f9146f #8576 @tufjs/repo-mock@4.0.0 (@wraithgar)
• eed8a10 #8576 use latest/local arborist in mock-registry (@wraithgar)
• workspace: @npmcli/arborist@9.1.5
• workspace: @npmcli/config@10.4.1
• workspace: `libnpmaccess@10.0.2`
• workspace: `libnpmdiff@8.0.8`
• workspace: `libnpmexec@10.1.7`
• workspace: `libnpmfund@7.0.8`
• workspace: `libnpmorg@8.0.1`
• workspace: `libnpmpack@9.0.8`
• workspace: `libnpmpublish@11.1.1`
• workspace: `libnpmsearch@9.0.1`
• workspace: `libnpmteam@8.0.2`
• workspace: `libnpmversion@8.0.2`

11.6.0 (2025-09-03)

Features

• bdcc10d #8359 add support for optional env var replacements in .npmrc (#8359) (@aczekajski, @owlstronaut)

  Bug Fixes

• dd4cee9 #8539 powershell: improve argument parsing (#8539) (@alexsch01)
• 5f18557 #8532 powershell: fix issue with modified InvocationName (#8532) (@alexsch01)
• 9e5abf1 #8529 add redaction to log format egress (#8529) (@wraithgar)
• 75ce64a #8524 revert handle signal exits gracefully (#8524) (@owlstronaut)
• 5d82d0b #8469 ps1 scripts in powershell 5.1 (#8469) (@splatteredbits)

Dependencies

• workspace: @npmcli/arborist@9.1.4
• workspace: @npmcli/config@10.4.0
• workspace: `libnpmdiff@8.0.7`
• workspace: `libnpmexec@10.1.6`
• workspace: `libnpmfund@7.0.7`
• workspace: `libnpmpack@9.0.7`

11.5.2 (2025-07-30)

Bug Fixes

• 7d900c4 #8467 oidc visibility check for provenance (#8467) (@reggi, @wraithgar)

  Documentation

• d4e56b2 #8459 update snapshot generation command (#8459) (@MikeMcC399)

11.5.1 (2025-07-24)

Bug Fixes

• 476bf17 #8457 provenance should only default for oidc (@reggi)

11.5.0 (2025-07-24)

Features

• 1cce318 #8336 adds support for oidc publish (#8336) (@reggi)

  Bug Fixes

• 7f66f0a #8447 add better hint for before and clean up description (@wraithgar)
• 280817a #8447 add --before param to command help output (@wraithgar)
• 6e47325 #8441 Makes 404 errors less scary without revealing existence (#8441) (@owlstronaut)
• 0a97ffd #8429 handle signal exits gracefully (@owlstronaut)
• 5b858c6 #8411 ensure progress bars display consistently across all environments (#8411) (@owlstronaut)

  Documentation

• ef3529e #8435 add test snapshot (#8435) (@reggi, @wraithgar)
• b7758d7 #8418 remove reference to Node.js download less common os (#8418) (@MikeMcC399)
• 746ac5d #8380 remove duplicate info (#8380) (@alexsch01)
• 4673e9c #8371 rebrand OS X references to macOS (@MikeMcC399)

  Dependencies

• 398fed4 #8450 `normalize-package-data@7.0.1`
• 5b242c9 #8450 `validate-npm-package-name@6.0.2`
• d4e8a8a #8450 `tuf-js@3.1.0`
• e1b37b2 #8450 `picomatch@4.0.3`
• 3cb5884 #8450 `socks@2.8.6`
• daea981 #8450 `ci-info@4.3.0`
• 39ad47d #8450 `aproba@2.1.0`
• a789f33 #8450 `agent-base@7.1.4`
• 1c0d257 #8450 @npmcli/metavuln-calculator@9.0.1

  Chores

• 804a964 #8450 update devDependencies in lockfile (@wraithgar)
• 643ae71 #8450 update mock-registry to use local arborist (@wraithgar)
• cf023d7 #8421 contributing: prepare easier copy-paste contributing commands (#8421) (@MikeMcC399)
• 3f60b5f #8383 @npmcli/template-oss@4.24.4 (#8383) (@wraithgar)
• 01f8cc6 #8381 @npmcli/template-oss@4.24.3 (#8381) (@wraithgar)
• workspace: @npmcli/arborist@9.1.3
• workspace: @npmcli/config@10.3.1
• workspace: `libnpmdiff@8.0.6`
• workspace: `libnpmexec@10.1.5`
• workspace: `libnpmfund@7.0.6`
• workspace: `libnpmpack@9.0.6`
• workspace: `libnpmpublish@11.1.0`

11.4.2 (2025-06-11)

Bug Fixes

• f2d6947 #8345 move warning to new line when npm init is canceled (@mbtools)
• e758dd7 #8318 powershell: multiple Invoke-Expression fixes (#8318) (@alexsch01)

  Documentation

• 7233cb3 #8355 remove deprecated section related temp files (#8355) (@milaninfy)
• fb7a498 #8351 clarify shell used for script (#8351) (@milaninfy)
• 8b55d38 #8329 Rename "command" to "script" (#8329) (@DanKaplanSES)

  Dependencies

• 7b05420 #8358 `fdir@6.4.6`
• e1a3b23 #8358 `tinyglobby@0.2.14`
• 522efa2 #8358 `socks@2.8.5`
• 7a0723f #8358 `debug@4.4.1`
• 9a342a4 #8358 `brace-expansion@2.0.2`
• e691ba0 #8358 @sigstore/protobuf-specs@0.4.3
• 42ef765 #8358 `validate-npm-package-name@6.0.1`
• 774c0b1 #8358 @npmcli/redact@3.2.2
• dda6f87 #8317 @npmcli/package-json@6.2.0
• bc08ac7 #8317 remove normalize-package-data

  Chores

• 0ad1444 #8358 dev dependency updates (@wraithgar)
• workspace: @npmcli/arborist@9.1.2
• workspace: `libnpmdiff@8.0.5`
• workspace: `libnpmexec@10.1.4`
• workspace: `libnpmfund@7.0.5`
• workspace: `libnpmpack@9.0.5`
• workspace: `libnpmpublish@11.0.1`

11.4.1 (2025-05-21)

Documentation

• 3ed764a #8308 Clarify script working directory behavior (fixes #8305) (#8308) (@tarekwfa0110, @owlstronaut)

  Chores

• 2f30251 #8314 remove references to skimdb.npmjs.com (#8314) (@shmam)
• 9cb9d50 #8298 add contributor to changelog entry (#8298) (@wraithgar)

Dependencies

• workspace: @npmcli/arborist@9.1.1
• workspace: `libnpmdiff@8.0.4`
• workspace: `libnpmexec@10.1.3`
• workspace: `libnpmfund@7.0.4`
• workspace: `libnpmpack@9.0.4`

11.4.0 (2025-05-15)

Features

• a0e60fb #8246 added init-private option (@owlstronaut)
• 57aa89f #8265 use run by default and run-script as the alias (#8265) (@owlstronaut)
• 0d4c023 #8234 install: add package info to json output (#8234) (@wraithgar)

  Bug Fixes

• 8794fd9 #8297 powershell: support pipeline input with Invoke-Expression (#8297) (@alexsch01)
• b5173d1 #8293 docs: corrected github_path (#8293) (@xaos7991)
• 2210d7a #8278 powershell: use Invoke-Expression to pass args (#8278) (@alexsch01, @mbtools)
• 8669d09 #8228 add otplease for enable-2fa, disable-2fa, access (#8228) (@reggi, @wraithgar)
• 78b5a6f #8269 correctly handle scenario where prefix is the cwd (#8269) (@owlstronaut, @ficocelliguy)
• fdc3413 #8221 exec: Fails to Execute Binaries Named After Shell Keywords (#8221) (@13sfaith)
• 4b08e2e #8245 docs: prepare script runs for local package links (@milaninfy)
• 1622ac4 #8241 handle missing time in packument to prevent crash on npm view (@owlstronaut)
• db8f5da #8110 outdated: add dependent location in long output (#8110) (@milaninfy, @wraithgar)

  Documentation

• d2498df #8295 Remove CHANGELOG from never-ignored list (#8295) (@mrazauskas)
• 4d5c3c1 #8283 fix overrides example in package-json.md (#8283) (@glasser)
• 96cc4f9 #8226 format publish as code to highlight it (@LiangYingC)
• 4990ea0 #8226 clarify legacy token creation in npm login and adduser commands (@LiangYingC)

  Dependencies

• c97ef8a #8246 `init-package-json@8.2.1`
• f48613d #8292 @sigstore/verify@2.1.1
• a4c5e74 #8292 `tinyglobby@0.2.13`
• b9156d2 #8292 `http-cache-semantics@4.2.0`
• 472a685 #8292 `binary-extensions@3.1.0`
• 988696e #8292 @sigstore/tuf@3.1.1
• 569ac84 #8292 `semver@7.7.2`
• 2521c9b #8233 @sigstore/protobuf-specs@0.4.1
• 3274d68 #8233 @npmcli/query@4.0.1
• c263626 #8233 `abbrev@3.0.1`
• 78df711 #8233 `hosted-git-info@8.1.0`

  Chores

• e80e38e #8292 dev dependency updates (@wraithgar)
• 3231ee9 #8244 update snapshots (@owlstronaut)
• c561a33 #8233 dev dependency updates (@owlstronaut)
• 7eca19c #8215 update workflow permissions for updating Node PR (@owlstronaut)
• workspace: @npmcli/arborist@9.1.0
• workspace: @npmcli/config@10.3.0
• workspace: `libnpmaccess@10.0.1`
• workspace: `libnpmdiff@8.0.3`
• workspace: `libnpmexec@10.1.2`
• workspace: `libnpmfund@7.0.3`
• workspace: `libnpmpack@9.0.3`
• workspace: `libnpmteam@8.0.1`
• workspace: `libnpmversion@8.0.1`

11.3.0 (2025-04-08)

Features

• b306d25 #8129 add node-gyp as actual config (@wraithgar)

  Bug Fixes

• 2f5392a #8135 make npm run autocomplete work with workspaces (#8135) (@terrainvidia)

  Documentation

• 26b6454 fix grammar in local path note (@cgay)
• 1c0e83d #7886 fix typo in package-json.md (#7886) (@stoneLeaf)
• 14efa57 #8178 fix example package name in overrides explainer (#8178) (@G-Rath)
• 4183cba #8162 logging: replace proceeding with preceding in loglevels details (#8162) (@tyleralbee)

  Dependencies

• e57f112 #8207 `minipass-fetch@4.0.1`
• 3daabb1 #8207 `minizlib@3.0.2`
• c7a7527 #8207 `ci-info@4.2.0`
• 20b09b6 #8207 `node-gyp@11.2.0`
• 679bc4a #8129 @npmcli/run-script@9.1.0

  Chores

• 3fbed84 #8207 install rimraf as a devdependency for smoke tests (@owlstronaut)
• 43f0b41 #8207 dev dependency updates (@wraithgar)
• 26803bc #8147 release integration node 23 yml (#8147) (@reggi)
• d679a1a #8146 release integration node 23 (#8146) (@reggi)
• workspace: @npmcli/arborist@9.0.2
• workspace: @npmcli/config@10.2.0
• workspace: `libnpmdiff@8.0.2`
• workspace: `libnpmexec@10.1.1`
• workspace: `libnpmfund@7.0.2`
• workspace: `libnpmpack@9.0.2`

11.2.0 (2025-03-05)

Features

• 247ee1d #8100 cache: add npx commands (@wraithgar)
• 3a80a7b #8081 add --init-type flag (#8081) (@reggi)
• 2a1e11f #8071 move nerfDart list into @npmcli/config (@wraithgar)

  Bug Fixes

• 8461186 #8100 update npx cache if possible when spec is a range (@wraithgar)
• e345cc5 #8050 don't suggest npm update outside of valid engine range (#8050) (@milaninfy)
• 811ca29 #8115 stop working around bug fixed in `npm-package-arg@12.0.2` (@TrevorBurnham)
• 879303c #8078 warn on invalid publishConfig (#8078) (@wraithgar)
• 41417de #8080 warn when TUF fetching of keys fails (#8080) (@wraithgar)
• 593c849 #8076 warn on invalid single-hyphen cli flags (#8076) (@wraithgar)

  Dependencies

• 3d8b257 #8100 @npmcli/package-json@6.1.1
• ab17523 #8134 `supports-color@10.0.0`
• 3cbe21a #8134 `foreground-child@3.3.1`
• ee5e1aa #8118 @npmcli/redact@3.1.1
• 5df69b4 #8118 `exponential-backoff@3.1.2`
• 80c3273 #8118 `read@4.1.0`
• 7fd70fa #8118 `node-gyp@11.1.0`
• 7aeffff #8118 `cidr-regex@4.1.3`
• b0c0490 #8118 `is-cidr@5.1.1`
• ef49d6b #8118 `sigstore@3.1.0`
• 1399bfb #8118 `socks@2.8.4`
• 6b72107 #8118 `semver@7.7.1`
• c9ad0c4 #8118 @npmcli/git@6.0.3
• b153927 #8115 `npm-package-arg@12.0.2`
• f0f6265 #8071 `nopt@8.1.0`

  Chores

• cc72b89 #8143 fix smoke tests to account for new release versions within a workspace (#8143) (@reggi)
• c3810bc #8134 dev dependency updates (@wraithgar)
• 9dc40e6 #8118 dev dependency updates (@wraithgar)
• 7ec0831 #8118 update jsonpath-plus (@wraithgar)
• ed85b01 #8071 tests for config warnings/changes (@wraithgar)
• workspace: @npmcli/arborist@9.0.1
• workspace: @npmcli/config@10.1.0
• workspace: `libnpmdiff@8.0.1`
• workspace: `libnpmexec@10.1.0`
• workspace: `libnpmfund@7.0.1`
• workspace: `libnpmpack@9.0.1`

11.1.0 (2025-01-29)

Features

• 7f6c997 #8009 add dry-run to deprecate/undeprecate commands (@wraithgar)
• 1764a37 #8009 add npm undeprecate command (@wraithgar)

  Bug Fixes

• 31455b2 #8054 publish: honor force for no dist tag and registry version check (#8054) (@reggi)
• dc31c1b #8038 remove max-len linting bypasses (@wraithgar)
• 8a911ff #8038 publish: disregard deprecated versions when calculating highest version (@wraithgar)
• 7f72944 #8038 publish: accept publishConfig.tag to override highest semver check (@wraithgar)
• ab9ddc0 #7992 sbom: deduplicate sbom dependencies (#7992) (@bdehamer)
• f7da341 #7980 search: properly display multiple search terms (#7980) (@wraithgar)

  Documentation

• 3644e79 #8055 update readme for Node.js versions, remove badges (#8055) (@wraithgar)
• f1af61f #8041 fix typos in "package-json" (#8041) (@maxkoryukov)
• e90c6fe #8051 depth flag default value (#8051) (@milaninfy)
• 866b5ee #8030 safer documentation urls, repos, packages (#8030) (@reggi)

  Dependencies

• 7ddfbad #8053 @npmcli/package-json@6.1.1
• 9473a86 #8053 `spdx-license-ids@3.0.21`
• a65e5ce #8053 @sigstore/protobuf-specs@0.3.3
• 215ebe4 #8053 `chalk@5.4.1`

  Chores

• 61f00e3 #8069 splits out smoke-tests from publish-dryrun tests (#8069) (@reggi)
• 6d0f46e #8058 stop publish smoke from check git clean (#8058) (@reggi)
• 9281ebf #8057 fix smoke tests prerelease needs separate string args (#8057) (@reggi)
• aa202e9 #8056 smoke tests using a preid (#8056) (@reggi)
• 18e0449 #8053 dev dependency updates (@wraithgar)
• 859a71c #8052 update node versions for release integration tests (#8052) (@wraithgar)
• 7e7961d #8038 bump @npmcli/eslint-config to 5.1.0 (@wraithgar)
• workspace: @npmcli/config@10.0.1

11.0.0 (2024-12-16)

Documentation

• 8a911da #7963 ls: removed design change pending section note (#7963) (@milaninfy)

  Dependencies

• 5319e48 #7973 remove unnecessary sprintf-js files in node_modules (#7973)
• d369c77 #7976 `socks-proxy-agent@8.0.5`
• 3b2951a #7976 `https-proxy-agent@7.0.6`
• a598b7b #7976 `agent-base@7.1.3`
• 52bcaf6 #7976 `debug@4.4.0`
• aabf345 #7976 `p-map@7.0.3`
• 28e8761 #7976 `npm-package-arg@12.0.1`

  Chores

• ecd7190 #7976 dev dependency updates (@wraithgar)
• a07f4e0 #7976 @npmcli/template-oss@4.23.6 (@wraithgar)
• 687ab12 #7970 remove pre-release mode from npm 11 and workspaces (#7970) (@wraithgar)
• workspace: @npmcli/arborist@9.0.0
• workspace: @npmcli/config@10.0.0
• workspace: `libnpmaccess@10.0.0`
• workspace: `libnpmdiff@8.0.0`
• workspace: `libnpmexec@10.0.0`
• workspace: `libnpmfund@7.0.0`
• workspace: `libnpmorg@8.0.0`
• workspace: `libnpmpack@9.0.0`
• workspace: `libnpmpublish@11.0.0`
• workspace: `libnpmsearch@9.0.0`
• workspace: `libnpmteam@8.0.0`
• workspace: `libnpmversion@8.0.0`

11.0.0-pre.1 (2024-12-06)

⚠️ BREAKING CHANGES

• Upon publishing, in order to apply a default "latest" dist tag, the command now retrieves all prior versions of the package. It will require that the version you're trying to publish is above the latest semver version in the registry, not including pre-release tags.
• npm init now has a type prompt, and sorts the entries in created packages differently
• bun.lockb files are now included in the strict ignore list during packing

  Features

• f3ac7b7 #7939 no implicit latest tag on publish when latest > version (#7939) (@reggi, @ljharb)

  Bug Fixes

• e362c6d #7944 prefix: remove duplicate -g from usage output (#7944) (@wraithgar)

  Documentation

• 2af31dd #7947 change certfile to cafile (#7947) (@wraithgar)
• 1be8e95 #7945 update ignore rules (@wraithgar)

  Dependencies

• bc9b14d #7955 @npmcli/run-script@9.0.2
• fecfcf4 #7955 `node-gyp@11.0.0`
• 8905037 #7955 `p-map@7.0.2`
• ac8eb39 #7955 `diff@7.0.0`
• c0bcc2a #7955 `walk-up-path@4.0.0`
• d463a6f #7955 `init-package-json@8.0.0`
• b87ba24 #7945 @npmcli/package-json@6.1.0
• 4bf1901 #7945 @npmcli/metavuln-calculator@9.0.0
• ca84b22 #7945 `pacote@21.0.0`
• 4906f3d #7945 `npm-packlist@10.0.0`

  Chores

• cfdf214 #7943 fork changelog (#7943) (@wraithgar)
• workspace: @npmcli/arborist@9.0.0-pre.1
• workspace: @npmcli/config@10.0.0-pre.1
• workspace: `libnpmdiff@8.0.0-pre.1`
• workspace: `libnpmexec@10.0.0-pre.1`
• workspace: `libnpmfund@7.0.0-pre.1`
• workspace: `libnpmorg@8.0.0-pre.1`
• workspace: `libnpmpack@9.0.0-pre.1`

11.0.0-pre.0 (2024-11-26)

⚠️ BREAKING CHANGES

• When publishing a package with a pre-release version, you must explicitly specify a tag.
• --ignore-scripts now applies to all lifecycle scripts, include prepare
• npm will no longer fall back to the old audit endpoint if the bulk advisory request fails.
• npm will no longer switch to global mode if aliased to "npmg" or "npm-g" etc.
• The npm hook command has been removed
• Attestations made by this package will no longer validate in npm versions prior to 10.6.0
• npm now supports node ^20.17.0 || >=22.9.0
• @npmcli/docs now supports node ^20.17.0 || >=22.9.0

  Features

• 6995303 #7850 adds --ignore-scripts flag to pack (@reggi)

  Bug Fixes

• 16b7367 #7910 publishing prerelease requires explicit tag (#7910) (@reggi)
• e19bff0 #7901 perf: enable compile cache if present (#7901) (@H4ad)
• 080a0f2 #7911 remove old audit fallback request (@wraithgar)
• 780afc5 #7855 pkg: display if any of multiple attributes exist (#7855) (@Sanderovich)
• ecd2d23 #7842 don't go into global mode if aliased to npmg (#7842) (@wraithgar)
• 62c71e5 #7835 removes npm hook command (@reggi)
• 7f541e8 #7815 make pack and exec work with git hash refs (#7815) (@milaninfy)
• 3162620 #7831 sets node engine range to ^20.17.0 || >=22.9.0 (@reggi)
• 4c8ba0a #7831 for @npmcli/docs sets node engine range to ^20.17.0 || >=22.9.0 (@reggi)
• 70cd88d #7808 view: sort and truncate dist-tags (#7808) (@wraithgar)
• 534ad77 #7795 remove unused parameters catch statements (#7795) (@btea)

  Documentation

• feb54f7 #7822 package.json: add libc field (#7822) (@wraithgar)

  Dependencies

• 78293ad #7937 `spdx-license-ids@3.0.20`
• 33cf580 #7937 `promise-call-limit@3.0.2`
• ef1c368 #7937 `package-json-from-dist@1.0.1`
• 92e6f07 #7937 `npm-registry-fetch@18.0.2`
• e32284a #7937 `npm-install-checks@7.1.1`
• 5dffd11 #7937 `negotiator@0.6.4`
• 69d9f01 #7937 `make-fetch-happen@14.0.3`
• 884bbde #7937 `hosted-git-info@8.0.2`
• 3c74ec0 #7937 `debug@4.3.7`
• f00359f #7937 `cross-spawn@7.0.6`
• 534bbe8 #7937 `ci-info@4.1.0`
• 8cbf1a7 #7937 @npmcli/promise-spawn@8.0.2
• 1bd39e7 #7937 @npmcli/map-workspaces@4.0.2
• eb6498d #7937 `ansi-regex@6.1.0`
• 66fc8c9 #7850 @npmcli/metavuln-calculator@8.0.1
• 7dbef6f #7850 `pacote@20.0.0`
• 75a3f12 #7859 remove unused deps (#7859)
• f36dc59 #7833 `pacote@19.0.1`
• 7ee15bb #7833 bump sigstore from 2.x to 3.0.0 (@bdehamer)

  Chores

• 2d530a5 #7941 tests: account for when npm is a prerelease (#7941) (@wraithgar)
• 2c1b369 #7937 dev dependency updates (@wraithgar)
• 6edfe2f #7937 @npmcli/template-oss@4.23.5 (@wraithgar)
• 475285b #7920 clean up dependency graph repos (#7920) (@hashtagchris)
• ec57f5f #7911 fix dependencies script for circular workspace deps (@wraithgar)
• ccd8420 #7911 fix cli tests for audit fallback removal (@wraithgar)
• 720b4d8 #7833 bump @npmcli/arborist to 8.0.0 (@wraithgar)
• 286739c #7824 add creation of a DEPENDENCIES.json file (#7824) (@reggi)
• 852dd8b #7831 sets npm 11 to prerelease (@reggi)
• 95d009e #7831 update engine ^20.17.0 || >=22.9.0 in actions (@reggi)
• 5a74478 #7831 update engines ^20.17.0 || >=22.9.0 in package template (@reggi)
• workspace: @npmcli/arborist@9.0.0-pre.0
• workspace: @npmcli/config@10.0.0-pre.0
• workspace: `libnpmaccess@10.0.0-pre.0`
• workspace: `libnpmdiff@8.0.0-pre.0`
• workspace: `libnpmexec@10.0.0-pre.0`
• workspace: `libnpmfund@7.0.0-pre.0`
• workspace: `libnpmorg@8.0.0-pre.0`
• workspace: `libnpmpack@9.0.0-pre.0`
• workspace: `libnpmpublish@11.0.0-pre.0`
• workspace: `libnpmsearch@9.0.0-pre.0`
• workspace: `libnpmteam@8.0.0-pre.0`
• workspace: `libnpmversion@8.0.0-pre.0`