deps: upgrade npm to 10.9.5

[npm-cli-bot]

10.9.5 (2026-03-04)

Bug Fixes

• 794f6c8 #9011 backport linked strategy fixes from multiple PRs to v10 (#9011) (@manzoorwanijk)

Dependencies

• 6717032 #9056 tuf-js@3.1.0
• e4e25ea #9056 tinyglobby@0.2.15
• 9464329 #9056 socks@2.8.7
• 23c3e17 #9056 postcss-selector-parser@7.1.1
• 77f9c29 #9056 p-map@7.0.4
• f1a0315 #9056 npm-install-checks@7.1.2
• ad7d3ac #9056 normalize-package-data@7.0.1
• 63a7c82 #9056 node-gyp@11.5.0
• 569d807 #9056 isexe@3.1.5
• 7dbe993 #9056 fdir@6.5.0
• f241a38 #9056 exponential-backoff@3.1.3
• bdeabff #9056 ci-info@4.4.0
• d8ebcd5 #9056 aproba@2.1.0
• be1b008 #9056 spdx-license-ids@3.0.23
• 1005efd #9056 strip-ansi@7.2.0
• d00bf96 #9056 diff@5.2.2
• 7a74819 #9056 debug@4.4.3
• 938db00 #9056 minipass@7.1.3
• 70e90e5 #9056 minimatch@9.0.9
• 733ff41 #9056 glob@10.5.0
• ea8227a #9056 ansi-styles@6.2.3
• edd20ef #9056 ansi-regex@6.2.2
• 2592b45 #9056 agent-base@7.7.4
• 3174366 #9056 semver@7.7.4
• 380df0e #9056 tar@7.5.9
• 49025ae #9056 chalk@5.6.2
• 64601cd #9056 @npmcli/promise-spawn@8.0.3
• 0e23c00 #9056 validate-npm-package-name@6.0.2

Chores

• 72cc7de #9056 template-oss@4.29.0 (@wraithgar)
• 51711b8 #9056 dev dependency updates (@wraithgar)
• workspace: @npmcli/arborist@8.0.2
• workspace: libnpmdiff@7.0.2
• workspace: libnpmexec@9.0.2
• workspace: libnpmfund@6.0.2
• workspace: libnpmpack@8.0.2
• workspace: libnpmpublish@10.0.2

[nodejs-github-bot]

Review requested:

• @nodejs/security-wg

[wraithgar]

This needs a dont-land-on-v20.x tag please!

[manzoorwanijk]

This needs a dont-land-on-v20.x tag please!

Is there any specific requirement for these changes to not work in v20?

[Renegade334]

This needs a dont-land-on-v20.x tag please!

Is there any specific requirement for these changes to not work in v20?

#58847 (comment)

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/71577/

[wraithgar]

This needs a dont-land-on-v20.x tag please!

Is there any specific requirement for these changes to not work in v20?

npm@10 works just fine in node 20, but we can't update it in releases anymore because of a breaking change in python requirements in node-gyp. Most folks will be able to update on their own without any problems.

[marco-ippolito]

This needs a dont-land-on-v20.x tag please!

Is there any specific requirement for these changes to not work in v20?

npm@10 works just fine in node 20, but we can't update it in releases anymore because of a breaking change in python requirements in node-gyp. Most folks will be able to update on their own without any problems.

If I understood correctly, a breaking node-gyp upgrade was included in the npm release? Was it a semver major upgrade of node-gyp? I'm trying to understand if its possible to revert the breaking change so users can upgrade npm on node v20 without breaking changes

[richardlau]

This needs a dont-land-on-v20.x tag please!

Is there any specific requirement for these changes to not work in v20?

npm@10 works just fine in node 20, but we can't update it in releases anymore because of a breaking change in python requirements in node-gyp. Most folks will be able to update on their own without any problems.

If I understood correctly, a breaking node-gyp upgrade was included in the npm release? Was it a semver major upgrade of node-gyp? I'm trying to understand if its possible to revert the breaking change so users can upgrade npm on node v20 without breaking changes

nodejs/node-gyp#3149 introduced the walrus operator (incompatible with Python 3.7 and 3.6) and went out in node-gyp 11.2.0.

[wraithgar]

This needs a dont-land-on-v20.x tag please!

Is there any specific requirement for these changes to not work in v20?

npm@10 works just fine in node 20, but we can't update it in releases anymore because of a breaking change in python requirements in node-gyp. Most folks will be able to update on their own without any problems.

If I understood correctly, a breaking node-gyp upgrade was included in the npm release? Was it a semver major upgrade of node-gyp? I'm trying to understand if its possible to revert the breaking change so users can upgrade npm on node v20 without breaking changes

It was not, it was a minor release. It was a part of node-gyp that wasn't really on anyone's radar for checking breaking changes, but it is now. There was even a discussion in the update PR that talked about updating python and nobody clocked it. It was just an oversight that we're now having to deal with.

Folks wanting to use the newest npm@10 in node 20 can still override which node-gyp is used via config. So even for the subset of folks this affects there is a workaround.

[marco-ippolito]

Could it be possible to revert that breaking change or is it too late/ there are other breaking changes?
If its python syntax I could rewrite it a python 3.6 compatible way and push it in a new node-gyp release

[wraithgar]

Could it be possible to revert that breaking change or is it too late/ there are other breaking changes?

I do not know the specifics of if or how node-gyp@10 could be patched but downgrading it in npm itself would likely be a breaking change much larger than the python version issue.

ETA: node 20 goes eol in approximately one month. I don't think large disruptions are warranted here.