npm: v12.0.0-pre.0.0 Release

12.0.0-pre.0.0 (2026-05-20)

⚠️ BREAKING CHANGES

• npm view --json now always returns an array.
• npm sbom --sbom-format=cyclonedx now reports the name field from each package's package.json instead of the on-disk directory name. The name, bom-ref, and purl of the root component and of aliased dependencies may change.
• npm no longer registers man pages with the system when installed globally. man npm-install will no longer work, but npm help install is unaffected.
• The npm pkg output is no longer forced to json. This means you can get single values without having to worry about wrapping of the values. It also outputs non-json content more similarly to npm view.
• npm shrinkwrap is removed, the shrinkwrap config alias is removed, and npm-shrinkwrap.json is no longer loaded or honored at the project root or from inside dependency tarballs. Rename project-root npm-shrinkwrap.json to package-lock.json; use bundleDependencies if you need to ship a locked dependency tree.
• The Twitter and Freenode profile fields have been removed from the npm registry. This means that users will no longer be able to set or view these fields in their npm profiles.
• npm will no longer attempt to resolve the path to node via whichnode. process.execPath is already set by Node to the resolved real path of the node binary, so the lookup was redundant. Scripts that expected npm to override process.execPath with a PATH-resolved (potentially symlinked) node path may be affected.
• the --json output of npm pack and npm publish have changed. They are now always consistent, and in the same format.
• the star, stars and unstar commands have been removed
• The npm adduser command has been removed. Create and manage user accounts on the npm website, and use npm login to authenticate on the command line. ### Features
• 254809e #9201 npm stage (#9201) (@reggi, @Copilot)
• cf94dbe #9248 add permissions support to trust commands (#9248) (@reggi, @Copilot)
• e0f12f7 #9348 add allow-git/allow-file/allow-directory/allow-remote configs (@owlstronaut)
• 916cb4b #9287 add allow-directory, allow-file, and allow-remote (#9287) (@wraithgar)
• 2e5dcad #9262 drop npm-shrinkwrap.json support (@owlstronaut)
• 2397196 #9265 Remove Twitter and Freenode profile fields (@owlstronaut)
• 738be10 #9196 remove star commands (#9196) (@wraithgar)
• db7c1f8 #9163 add u as alias for update command (#9163) (@Ausoj)
• 45e44dd #9228 adds a backport script (@owlstronaut) ### Bug Fixes
• 2a13550 #9380 key stage download --json output by package name (#9380) (@reggi, @Copilot)
• ca585c8 #9368 allow min-release-age in npmrc to coexist with --before (@raazkhnl)
• f550eb4 #9348 refactor #failureNode, adjust tests and safety (@owlstronaut)
• 1f17566 #9348 allow-remote=none does not block registry tarballs (@owlstronaut)
• 70af7b3 #9327 remove settings (#9327) (@owlstronaut)
• d623988 #9311 sbom: dedupe per-node dependsOn / relationships (#9311) (@mikaelkristiansson)
• d36945d #9160 do not unwrap single-item arrays in --json output (@yetanotheraryan)
• faf7348 #9284 align CycloneDX SBOM component names with SPDX (#9284) (@cyphercodes, @cyphercodes)
• e20424b #9035 don't install man pages in system locations (@owlstronaut)
• 01d9acd #9269 pkg: output like npm view does, do not force json output (@wraithgar)
• 27567ab #9257 ignore intended error code (@owlstronaut)
• 4ef5b6e #9039 stop resolving node path via whichnode (@owlstronaut)
• 2e9b26e #9247 sync json output of pack and publish (#9247) (@wraithgar)
• 7357d7f #9036 remove npm adduser command (@owlstronaut) ### Documentation
• c97b39b #9363 add example to optionalDependencies section (#9363) (@verifizieren)
• 6704ab2 #9335 npm view with json outputs array docs update (#9335) (@yetanotheraryan) ### Dependencies
• d151521 #9382 socks@2.8.9
• a77416e #9382 lru-cache@11.5.0
• b2717e4 #9382 ip-address@10.2.0
• 1c4a796 #9382 brace-expansion@5.0.6
• e36a4e3 #9382 bin-links@6.0.2
• 91bd674 #9382 tar@7.5.15
• 66c7ff1 #9382 semver@7.8.0
• 514c71b #9382 hosted-git-info@9.0.3
• fbe1dd0 #9316 socks@10.1.1
• af65766 #9316 ip-address@10.1.1
• 37bd0c6 #9316 cidr-regex@5.0.5
• 5af02ec #9270 lru-cache@11.3.5
• 799866f #9270 node-gyp@12.3.0
• 79d394e #9270 is-cidr@6.0.4
• 9669d31 #9207 @sigstore/protobuf-specs@0.5.1
• b09a5ac #9207 tinyglobby@0.2.16
• 150231d #9207 picomatch@4.0.4
• 413e0a0 #9207 lru-cache@11.3.3
• 6faa25e #9207 diff@8.0.4
• 87bb9d0 #9207 minimatch@10.2.5
• 2501dd8 #9207 tar@7.5.13
• ccce5f6 #9207 minipass-flush@1.0.6 ### Chores
• f502c4f #9382 dev dependency updates (@owlstronaut)
• 4259e57 #9316 dev dependency updates (@owlstronaut)
• d68bd36 #9317 add cli-triage team as codeowner (#9317) (@owlstronaut)
• b9332e6 #9270 dev dependency updates (@owlstronaut)
• cc468a8 #9269 refactor tests (@wraithgar)
• 2ca36c4 #9261 fixed non-functional typos throughout the codebase (@opensourcezeal)
• 8131de4 #9239 add action permission for backport workflow (@owlstronaut)
• 6df5f91 #9232 backports can trigger CI (@owlstronaut)
• 07552f5 #9224 don't run npm update in CI (@owlstronaut)
• 05dbba5 #9195 enable prerelease mode (#9195) (@wraithgar)
• workspace: @npmcli/arborist@10.0.0-pre.0.0
• workspace: @npmcli/config@11.0.0-pre.0.0
• workspace: libnpmdiff@8.1.6-pre.0.0
• workspace: libnpmexec@10.2.6-pre.0.0
• workspace: libnpmfund@7.0.20-pre.0.0
• workspace: libnpmpack@10.0.0-pre.0.0
• workspace: libnpmpublish@11.2.0-pre.0.0
• workspace: libnpmversion@9.0.0-pre.0.0