From fcdc77f8a222256dc056c325df9b8b39385ee56d Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Thu, 4 Jun 2026 14:15:43 +0000
Subject: [PATCH] chore: release 12.0.0-pre.1

---
 .release-please-manifest.json         | 18 +++++-----
 AUTHORS                               | 11 ++++++
 CHANGELOG.md                          | 51 +++++++++++++++++++++++++++
 package-lock.json                     | 44 +++++++++++------------
 package.json                          | 18 +++++-----
 workspaces/arborist/CHANGELOG.md      | 15 ++++++++
 workspaces/arborist/package.json      |  2 +-
 workspaces/config/CHANGELOG.md        | 15 ++++++++
 workspaces/config/package.json        |  2 +-
 workspaces/libnpmdiff/CHANGELOG.md    | 13 +++++++
 workspaces/libnpmdiff/package.json    |  4 +--
 workspaces/libnpmexec/CHANGELOG.md    | 13 +++++++
 workspaces/libnpmexec/package.json    |  4 +--
 workspaces/libnpmfund/CHANGELOG.md    |  9 +++++
 workspaces/libnpmfund/package.json    |  4 +--
 workspaces/libnpmpack/CHANGELOG.md    | 14 ++++++++
 workspaces/libnpmpack/package.json    |  4 +--
 workspaces/libnpmpublish/CHANGELOG.md |  7 ++++
 workspaces/libnpmpublish/package.json |  2 +-
 workspaces/libnpmversion/CHANGELOG.md |  6 ++++
 workspaces/libnpmversion/package.json |  2 +-
 21 files changed, 206 insertions(+), 52 deletions(-)

diff --git a/.release-please-manifest.json b/.release-please-manifest.json
index a19f3797bb2bc..a9b54903009a3 100644
--- a/.release-please-manifest.json
+++ b/.release-please-manifest.json
@@ -1,15 +1,15 @@
 {
-  ".": "12.0.0-pre.0",
-  "workspaces/arborist": "10.0.0-pre.0",
+  ".": "12.0.0-pre.1",
+  "workspaces/arborist": "10.0.0-pre.1",
   "workspaces/libnpmaccess": "10.0.3",
-  "workspaces/libnpmdiff": "8.1.6-pre.0",
-  "workspaces/libnpmexec": "10.2.6-pre.0",
-  "workspaces/libnpmfund": "7.0.20-pre.0",
+  "workspaces/libnpmdiff": "9.0.0-pre.0",
+  "workspaces/libnpmexec": "10.3.0-pre.0",
+  "workspaces/libnpmfund": "7.0.20-pre.1",
   "workspaces/libnpmorg": "8.0.1",
-  "workspaces/libnpmpack": "10.0.0-pre.0",
-  "workspaces/libnpmpublish": "11.2.0-pre.0",
+  "workspaces/libnpmpack": "10.0.0-pre.1",
+  "workspaces/libnpmpublish": "12.0.0-pre.0",
   "workspaces/libnpmsearch": "9.0.1",
   "workspaces/libnpmteam": "8.0.2",
-  "workspaces/libnpmversion": "9.0.0-pre.0",
-  "workspaces/config": "11.0.0-pre.0"
+  "workspaces/libnpmversion": "9.0.0-pre.1",
+  "workspaces/config": "11.0.0-pre.1"
 }
diff --git a/AUTHORS b/AUTHORS
index 406be117a0203..ba2c3fb95a01e 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -1016,3 +1016,14 @@ ecanturk <46566566+ecanturk@users.noreply.github.com>
 Max <135263966+verifizieren@users.noreply.github.com>
 Tea Reggi <reggi@github.com>
 raazkhnl <raazkhnl@gmail.com>
+Oliver Byford <oliver.byford@digital.cabinet-office.gov.uk>
+Zelys <zelys@dfkhelper.com>
+Jamie Magee <jamie.magee@gmail.com>
+Puneet Dixit <puneetdixit4321@gmail.com>
+12122J <javiergomezbu@gmail.com>
+Jamie Magee <jamagee@microsoft.com>
+Shaan Majid <70789625+shaanmajid@users.noreply.github.com>
+Minh Vu <vuhoangminh97@gmail.com>
+Dexter.k <164054284+rootvector2@users.noreply.github.com>
+meeech <4623+meeech@users.noreply.github.com>
+Abhinav <mrabhinav2k03@gmail.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 29711d1aac3fd..fae4757d30eb8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,56 @@
 # Changelog
 
+## [12.0.0-pre.1](https://github.com/npm/cli/compare/v12.0.0-pre.0...v12.0.0-pre.1) (2026-06-04)
+### ⚠️ BREAKING CHANGES
+* allow-git and allow-remote now default to "none"; set them to "all" (or "root") to install git or user-supplied tarball-URL dependencies.
+* root \`preinstall\` now runs before dependencies are installed.
+* unknown configs in .npmrc, unknown CLI flags, abbreviated flags, and single-hyphen multi-char shorthands now throw instead of warning.
+### Features
+* [`5cd5150`](https://github.com/npm/cli/commit/5cd5150d3e85dcf5d246e7e5c9de216c2ff849db) [#9424](https://github.com/npm/cli/pull/9424) default-deny install scripts (allowScripts opt-in) [v12] (@JamieMagee)
+* [`64e3f79`](https://github.com/npm/cli/commit/64e3f798344e66f4c500636cb8aec5c8111a1fe9) [#9480](https://github.com/npm/cli/pull/9480) allowScripts tooling and inBundle hardening (#9480) (@JamieMagee)
+* [`caa3295`](https://github.com/npm/cli/commit/caa329568d32587e53f6e098f43b550dd2685034) [#9466](https://github.com/npm/cli/pull/9466) default allow-git and allow-remote to none (@owlstronaut)
+* [`f2e4a28`](https://github.com/npm/cli/commit/f2e4a285ec5ed43055462a47db6d330758a16e64) [#9351](https://github.com/npm/cli/pull/9351) add a global npmignore file (#9351) (@ljharb)
+* [`c9be2d1`](https://github.com/npm/cli/commit/c9be2d1efadd353e743bcebd52faaa5aa64e2fc0) [#9153](https://github.com/npm/cli/pull/9153) publish --access=private alias for restricted (#9153) (@reggi, @Copilot)
+* [`7068d42`](https://github.com/npm/cli/commit/7068d4286eb446fdb0ded08d15d7b5c3883d80f5) [#9360](https://github.com/npm/cli/pull/9360) Phase 1 of `allowScripts` opt-in install-script policy (#9360) (@JamieMagee)
+* [`979518d`](https://github.com/npm/cli/commit/979518dd198b9f2beb788c6c3cdcd1e055b03d22) [#9276](https://github.com/npm/cli/pull/9276) error on unknown configs, flags, and abbreviations (#9276) (@owlstronaut)
+### Bug Fixes
+* [`bf623e0`](https://github.com/npm/cli/commit/bf623e0a9ea568a47b777c563e48a097cb12e442) [#9473](https://github.com/npm/cli/pull/9473) validate registry path for allow-remote tarballs (@Abhinav-143x)
+* [`6be874b`](https://github.com/npm/cli/commit/6be874b88174e87f004b31cbbdda54d0d50cb399) [#9479](https://github.com/npm/cli/pull/9479) list pending scripts in approve-scripts when ignore-scripts is set (#9479) (@JamieMagee)
+* [`6603b2c`](https://github.com/npm/cli/commit/6603b2c5fdbb5d4ec504199b2f10b5b378168016) [#9469](https://github.com/npm/cli/pull/9469) suggest --allow-scripts for global installs in unreviewed-scripts warnings (#9469) (@JamieMagee)
+* [`fe820b6`](https://github.com/npm/cli/commit/fe820b6f2bbac9fdb3c8937d6d5bf6544bac55fc) [#9442](https://github.com/npm/cli/pull/9442) invalid issue template YAML indentation (#9442) (@fallintoplace)
+* [`fe41ae7`](https://github.com/npm/cli/commit/fe41ae7c6b38e7e9957b646bf379e2b5daae03f9) [#9404](https://github.com/npm/cli/pull/9404) show full parent command path in subcommand usage errors (#9404) (@shaanmajid)
+* [`75bf7de`](https://github.com/npm/cli/commit/75bf7decec60da0e68296356b8da82d3eb18f0bc) [#9456](https://github.com/npm/cli/pull/9456) respect allowScripts policy in prune, dedupe, uninstall, audit fix, and link (@JamieMagee)
+* [`6efac6e`](https://github.com/npm/cli/commit/6efac6ead98af50c5a40fc45cb657bbee496a584) [#9453](https://github.com/npm/cli/pull/9453) config: clarify --all help so it's accurate for approve-scripts and deny-scripts (@JamieMagee)
+* [`b97edc0`](https://github.com/npm/cli/commit/b97edc0193017800ecb1f26d212977729ca19739) [#9430](https://github.com/npm/cli/pull/9430) audit: don't apply min-release-age before filter when verifying installed signatures (@JamieMagee)
+* [`080e3b2`](https://github.com/npm/cli/commit/080e3b29e69d35d7b0f4823a9ac7ab4e1e4d1af6) [#9425](https://github.com/npm/cli/pull/9425) block forbidden keys in Queryable setter to prevent prototype pollution (@12122J, @claude)
+* [`c5292fa`](https://github.com/npm/cli/commit/c5292fa8a09a56b25394d393faf21e47ffb096c0) [#9422](https://github.com/npm/cli/pull/9422) use prerelease strategy without a bug (@owlstronaut)
+* [`33aebaa`](https://github.com/npm/cli/commit/33aebaa58541ac0af3882cc0b56f09b1b676740a) [#9410](https://github.com/npm/cli/pull/9410) fix typo of fullMetadata (@owlstronaut)
+* [`2a03860`](https://github.com/npm/cli/commit/2a03860fcafe92b22770fc554b25994b29bacbdb) [#9267](https://github.com/npm/cli/pull/9267) run root preinstall before reify (@owlstronaut)
+* [`c0fc549`](https://github.com/npm/cli/commit/c0fc54935af8e17a3a96cbdeac52bb4c597803b6) [#9372](https://github.com/npm/cli/pull/9372) config: pause progress spinner during interactive editor spawn (#9372) (@Zelys-DFKH, @claude)
+### Documentation
+* [`aac80dc`](https://github.com/npm/cli/commit/aac80dc00748863ed4bdec90a49e33b0d9d3ed93) [#9470](https://github.com/npm/cli/pull/9470) update minimum npm required for npm trust (@meeech)
+* [`d124c08`](https://github.com/npm/cli/commit/d124c0858da0b138cda2addcb0987b063ca86a47) [#9385](https://github.com/npm/cli/pull/9385) Document `npm_old_version` and `npm_new_version` environment variables (#9385) (@36degrees)
+### Dependencies
+* [`d28783e`](https://github.com/npm/cli/commit/d28783e3f00feecf4ca76b497e80ffd281af1655) [#9420](https://github.com/npm/cli/pull/9420) `undici@6.26.0`
+* [`7f6c6ef`](https://github.com/npm/cli/commit/7f6c6ef49023286bed47a334cc2bd0064cb8ec05) [#9420](https://github.com/npm/cli/pull/9420) `sigstore@4.1.1`
+* [`ee61b6e`](https://github.com/npm/cli/commit/ee61b6e8279b1d26d28a47613d66a9deb5c06529) [#9420](https://github.com/npm/cli/pull/9420) `lru-cache@11.5.1`
+* [`d5ddef2`](https://github.com/npm/cli/commit/d5ddef2571b5b26dfade31eb040dbd4a096aeed8) [#9420](https://github.com/npm/cli/pull/9420) `@sigstore/verify@3.1.1`
+* [`11e7ac7`](https://github.com/npm/cli/commit/11e7ac72c3ea0490f8d5edfb4bd5a60729d25b66) [#9420](https://github.com/npm/cli/pull/9420) `@sigstore/core@3.2.1`
+* [`11cd66e`](https://github.com/npm/cli/commit/11cd66e10490af0ef46ceeb5e8764a855580a2de) [#9420](https://github.com/npm/cli/pull/9420) `@npmcli/agent@4.0.2`
+* [`8be4c04`](https://github.com/npm/cli/commit/8be4c046fbbbb8ede02a288b727fcbf7470956fb) [#9420](https://github.com/npm/cli/pull/9420) `semver@7.8.1`
+* [`577d61d`](https://github.com/npm/cli/commit/577d61da646833994ecfda8b2f1dc993ec9b58d1) [#9420](https://github.com/npm/cli/pull/9420) `make-fetch-happen@15.0.6`
+### Chores
+* [`da63c79`](https://github.com/npm/cli/commit/da63c79be758fd9d3faa9f5edf962219c805c579) [#9420](https://github.com/npm/cli/pull/9420) dev dependency updates (@owlstronaut)
+* [`5fc9bc0`](https://github.com/npm/cli/commit/5fc9bc0f202aadedd7b123394560047671afca6b) [#9393](https://github.com/npm/cli/pull/9393) sanitize newlines in flags table default and type values (#9393) (@reggi, @Copilot)
+* [workspace](https://github.com/npm/cli/releases/tag/arborist-v10.0.0-pre.1): `@npmcli/arborist@10.0.0-pre.1`
+* [workspace](https://github.com/npm/cli/releases/tag/config-v11.0.0-pre.1): `@npmcli/config@11.0.0-pre.1`
+* [workspace](https://github.com/npm/cli/releases/tag/libnpmdiff-v9.0.0-pre.0): `libnpmdiff@9.0.0-pre.0`
+* [workspace](https://github.com/npm/cli/releases/tag/libnpmexec-v10.3.0-pre.0): `libnpmexec@10.3.0-pre.0`
+* [workspace](https://github.com/npm/cli/releases/tag/libnpmfund-v7.0.20-pre.1): `libnpmfund@7.0.20-pre.1`
+* [workspace](https://github.com/npm/cli/releases/tag/libnpmpack-v10.0.0-pre.1): `libnpmpack@10.0.0-pre.1`
+* [workspace](https://github.com/npm/cli/releases/tag/libnpmpublish-v12.0.0-pre.0): `libnpmpublish@12.0.0-pre.0`
+* [workspace](https://github.com/npm/cli/releases/tag/libnpmversion-v9.0.0-pre.1): `libnpmversion@9.0.0-pre.1`
+
 ## [12.0.0-pre.0.0](https://github.com/npm/cli/compare/v11.12.1...v12.0.0-pre.0.0) (2026-05-20)
 ### ⚠️ BREAKING CHANGES
 * npm view --json now always returns an array.
diff --git a/package-lock.json b/package-lock.json
index 2e42b5d5f7818..6eb03664a0862 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "npm",
-  "version": "12.0.0-pre.0",
+  "version": "12.0.0-pre.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "npm",
-      "version": "12.0.0-pre.0",
+      "version": "12.0.0-pre.1",
       "bundleDependencies": [
         "@isaacs/string-locale-compare",
         "@npmcli/arborist",
@@ -84,8 +84,8 @@
       ],
       "dependencies": {
         "@isaacs/string-locale-compare": "^1.1.0",
-        "@npmcli/arborist": "^10.0.0-pre.0",
-        "@npmcli/config": "^11.0.0-pre.0",
+        "@npmcli/arborist": "^10.0.0-pre.1",
+        "@npmcli/config": "^11.0.0-pre.1",
         "@npmcli/fs": "^5.0.0",
         "@npmcli/map-workspaces": "^5.0.3",
         "@npmcli/metavuln-calculator": "^9.0.3",
@@ -109,15 +109,15 @@
         "is-cidr": "^6.0.4",
         "json-parse-even-better-errors": "^5.0.0",
         "libnpmaccess": "^10.0.3",
-        "libnpmdiff": "^8.1.6-pre.0",
-        "libnpmexec": "^10.2.6-pre.0",
-        "libnpmfund": "^7.0.20-pre.0",
+        "libnpmdiff": "^9.0.0-pre.0",
+        "libnpmexec": "^10.3.0-pre.0",
+        "libnpmfund": "^7.0.20-pre.1",
         "libnpmorg": "^8.0.1",
-        "libnpmpack": "^10.0.0-pre.0",
-        "libnpmpublish": "^11.2.0-pre.0",
+        "libnpmpack": "^10.0.0-pre.1",
+        "libnpmpublish": "^12.0.0-pre.0",
         "libnpmsearch": "^9.0.1",
         "libnpmteam": "^8.0.2",
-        "libnpmversion": "^9.0.0-pre.0",
+        "libnpmversion": "^9.0.0-pre.1",
         "make-fetch-happen": "^15.0.6",
         "minimatch": "^10.2.5",
         "minipass": "^7.1.3",
@@ -14689,7 +14689,7 @@
     },
     "workspaces/arborist": {
       "name": "@npmcli/arborist",
-      "version": "10.0.0-pre.0",
+      "version": "10.0.0-pre.1",
       "license": "ISC",
       "dependencies": {
         "@gar/promise-retry": "^1.0.0",
@@ -14747,7 +14747,7 @@
     },
     "workspaces/config": {
       "name": "@npmcli/config",
-      "version": "11.0.0-pre.0",
+      "version": "11.0.0-pre.1",
       "license": "ISC",
       "dependencies": {
         "@npmcli/map-workspaces": "^5.0.0",
@@ -14787,10 +14787,10 @@
       }
     },
     "workspaces/libnpmdiff": {
-      "version": "8.1.6-pre.0",
+      "version": "9.0.0-pre.0",
       "license": "ISC",
       "dependencies": {
-        "@npmcli/arborist": "^10.0.0-pre.0",
+        "@npmcli/arborist": "^10.0.0-pre.1",
         "@npmcli/installed-package-contents": "^4.0.0",
         "binary-extensions": "^3.0.0",
         "diff": "^8.0.2",
@@ -14809,11 +14809,11 @@
       }
     },
     "workspaces/libnpmexec": {
-      "version": "10.2.6-pre.0",
+      "version": "10.3.0-pre.0",
       "license": "ISC",
       "dependencies": {
         "@gar/promise-retry": "^1.0.0",
-        "@npmcli/arborist": "^10.0.0-pre.0",
+        "@npmcli/arborist": "^10.0.0-pre.1",
         "@npmcli/package-json": "^7.0.0",
         "@npmcli/run-script": "^10.0.0",
         "ci-info": "^4.0.0",
@@ -14840,10 +14840,10 @@
       }
     },
     "workspaces/libnpmfund": {
-      "version": "7.0.20-pre.0",
+      "version": "7.0.20-pre.1",
       "license": "ISC",
       "dependencies": {
-        "@npmcli/arborist": "^10.0.0-pre.0"
+        "@npmcli/arborist": "^10.0.0-pre.1"
       },
       "devDependencies": {
         "@npmcli/eslint-config": "^5.0.1",
@@ -14873,10 +14873,10 @@
       }
     },
     "workspaces/libnpmpack": {
-      "version": "10.0.0-pre.0",
+      "version": "10.0.0-pre.1",
       "license": "ISC",
       "dependencies": {
-        "@npmcli/arborist": "^10.0.0-pre.0",
+        "@npmcli/arborist": "^10.0.0-pre.1",
         "@npmcli/run-script": "^10.0.0",
         "npm-package-arg": "^13.0.0",
         "pacote": "^21.0.2"
@@ -14893,7 +14893,7 @@
       }
     },
     "workspaces/libnpmpublish": {
-      "version": "11.2.0-pre.0",
+      "version": "12.0.0-pre.0",
       "license": "ISC",
       "dependencies": {
         "@npmcli/package-json": "^7.0.0",
@@ -14950,7 +14950,7 @@
       }
     },
     "workspaces/libnpmversion": {
-      "version": "9.0.0-pre.0",
+      "version": "9.0.0-pre.1",
       "license": "ISC",
       "dependencies": {
         "@npmcli/git": "^7.0.0",
diff --git a/package.json b/package.json
index 2cb0402575dc4..4c7e903d011bf 100644
--- a/package.json
+++ b/package.json
@@ -1,5 +1,5 @@
 {
-  "version": "12.0.0-pre.0",
+  "version": "12.0.0-pre.1",
   "name": "npm",
   "description": "a package manager for JavaScript",
   "workspaces": [
@@ -48,8 +48,8 @@
   },
   "dependencies": {
     "@isaacs/string-locale-compare": "^1.1.0",
-    "@npmcli/arborist": "^10.0.0-pre.0",
-    "@npmcli/config": "^11.0.0-pre.0",
+    "@npmcli/arborist": "^10.0.0-pre.1",
+    "@npmcli/config": "^11.0.0-pre.1",
     "@npmcli/fs": "^5.0.0",
     "@npmcli/map-workspaces": "^5.0.3",
     "@npmcli/metavuln-calculator": "^9.0.3",
@@ -73,15 +73,15 @@
     "is-cidr": "^6.0.4",
     "json-parse-even-better-errors": "^5.0.0",
     "libnpmaccess": "^10.0.3",
-    "libnpmdiff": "^8.1.6-pre.0",
-    "libnpmexec": "^10.2.6-pre.0",
-    "libnpmfund": "^7.0.20-pre.0",
+    "libnpmdiff": "^9.0.0-pre.0",
+    "libnpmexec": "^10.3.0-pre.0",
+    "libnpmfund": "^7.0.20-pre.1",
     "libnpmorg": "^8.0.1",
-    "libnpmpack": "^10.0.0-pre.0",
-    "libnpmpublish": "^11.2.0-pre.0",
+    "libnpmpack": "^10.0.0-pre.1",
+    "libnpmpublish": "^12.0.0-pre.0",
     "libnpmsearch": "^9.0.1",
     "libnpmteam": "^8.0.2",
-    "libnpmversion": "^9.0.0-pre.0",
+    "libnpmversion": "^9.0.0-pre.1",
     "make-fetch-happen": "^15.0.6",
     "minimatch": "^10.2.5",
     "minipass": "^7.1.3",
diff --git a/workspaces/arborist/CHANGELOG.md b/workspaces/arborist/CHANGELOG.md
index b85341dfbe11e..dbf305669f91b 100644
--- a/workspaces/arborist/CHANGELOG.md
+++ b/workspaces/arborist/CHANGELOG.md
@@ -1,5 +1,20 @@
 # Changelog
 
+## [10.0.0-pre.1](https://github.com/npm/cli/compare/arborist-v10.0.0-pre.0...arborist-v10.0.0-pre.1) (2026-06-04)
+### Features
+* [`5cd5150`](https://github.com/npm/cli/commit/5cd5150d3e85dcf5d246e7e5c9de216c2ff849db) [#9424](https://github.com/npm/cli/pull/9424) default-deny install scripts (allowScripts opt-in) [v12] (@JamieMagee)
+* [`64e3f79`](https://github.com/npm/cli/commit/64e3f798344e66f4c500636cb8aec5c8111a1fe9) [#9480](https://github.com/npm/cli/pull/9480) allowScripts tooling and inBundle hardening (#9480) (@JamieMagee)
+* [`7068d42`](https://github.com/npm/cli/commit/7068d4286eb446fdb0ded08d15d7b5c3883d80f5) [#9360](https://github.com/npm/cli/pull/9360) Phase 1 of `allowScripts` opt-in install-script policy (#9360) (@JamieMagee)
+### Bug Fixes
+* [`bf623e0`](https://github.com/npm/cli/commit/bf623e0a9ea568a47b777c563e48a097cb12e442) [#9473](https://github.com/npm/cli/pull/9473) validate registry path for allow-remote tarballs (@Abhinav-143x)
+* [`a105799`](https://github.com/npm/cli/commit/a10579959a5ed83d459f4c6d2f039ef5b62b4ff1) [#9461](https://github.com/npm/cli/pull/9461) arborist: link meta-only optional peers in linked strategy (@manzoorwanijk)
+* [`275bc69`](https://github.com/npm/cli/commit/275bc6934cc2d7c645e2c18dc2c12dc75d148e61) [#9441](https://github.com/npm/cli/pull/9441) arborist: clean up orphaned scoped store entries in linked strategy (@manzoorwanijk)
+* [`9f3c97f`](https://github.com/npm/cli/commit/9f3c97f83443ee00b9ca6beaf3e8cec95d3199ad) [#9452](https://github.com/npm/cli/pull/9452) sanitize package name in linked-strategy path construction (@owlstronaut)
+* [`a81f2f8`](https://github.com/npm/cli/commit/a81f2f8f4e89c202e57c32b60ee9d27020b49be0) [#9428](https://github.com/npm/cli/pull/9428) arborist: read install scripts from disk on lockfile installs instead of a sentinel (@JamieMagee)
+* [`c5292fa`](https://github.com/npm/cli/commit/c5292fa8a09a56b25394d393faf21e47ffb096c0) [#9422](https://github.com/npm/cli/pull/9422) use prerelease strategy without a bug (@owlstronaut)
+* [`dac7ff6`](https://github.com/npm/cli/commit/dac7ff6d3d62422bb8dad136fcb8f48e99a4594a) [#9399](https://github.com/npm/cli/pull/9399) arborist: drop self-link materialization for undeclared workspaces (#9399) (@manzoorwanijk)
+* [`b77850e`](https://github.com/npm/cli/commit/b77850e550a15c6205fdafc9e3843323b7135923) [#9395](https://github.com/npm/cli/pull/9395) skip hidden lockfile save on dry run (#9395) (@puneetdixit200, @puneetdixit200)
+
 ## [10.0.0-pre.0.0](https://github.com/npm/cli/compare/arborist-v9.4.2...arborist-v10.0.0-pre.0.0) (2026-05-20)
 ### ⚠️ BREAKING CHANGES
 * `npm shrinkwrap` is removed, the `shrinkwrap` config alias is removed, and `npm-shrinkwrap.json` is no longer loaded or honored at the project root or from inside dependency tarballs. Rename project-root `npm-shrinkwrap.json` to `package-lock.json`; use `bundleDependencies` if you need to ship a locked dependency tree.
diff --git a/workspaces/arborist/package.json b/workspaces/arborist/package.json
index 12496f22b26ed..9773b399a07a4 100644
--- a/workspaces/arborist/package.json
+++ b/workspaces/arborist/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/arborist",
-  "version": "10.0.0-pre.0",
+  "version": "10.0.0-pre.1",
   "description": "Manage node_modules trees",
   "dependencies": {
     "@gar/promise-retry": "^1.0.0",
diff --git a/workspaces/config/CHANGELOG.md b/workspaces/config/CHANGELOG.md
index 14cdd55e7d9ca..9a54ab3fdd58f 100644
--- a/workspaces/config/CHANGELOG.md
+++ b/workspaces/config/CHANGELOG.md
@@ -1,5 +1,20 @@
 # Changelog
 
+## [11.0.0-pre.1](https://github.com/npm/cli/compare/config-v11.0.0-pre.0...config-v11.0.0-pre.1) (2026-06-04)
+### ⚠️ BREAKING CHANGES
+* allow-git and allow-remote now default to "none"; set them to "all" (or "root") to install git or user-supplied tarball-URL dependencies.
+* unknown configs in .npmrc, unknown CLI flags, abbreviated flags, and single-hyphen multi-char shorthands now throw instead of warning.
+### Features
+* [`5cd5150`](https://github.com/npm/cli/commit/5cd5150d3e85dcf5d246e7e5c9de216c2ff849db) [#9424](https://github.com/npm/cli/pull/9424) default-deny install scripts (allowScripts opt-in) [v12] (@JamieMagee)
+* [`caa3295`](https://github.com/npm/cli/commit/caa329568d32587e53f6e098f43b550dd2685034) [#9466](https://github.com/npm/cli/pull/9466) default allow-git and allow-remote to none (@owlstronaut)
+* [`f2e4a28`](https://github.com/npm/cli/commit/f2e4a285ec5ed43055462a47db6d330758a16e64) [#9351](https://github.com/npm/cli/pull/9351) add a global npmignore file (#9351) (@ljharb)
+* [`c9be2d1`](https://github.com/npm/cli/commit/c9be2d1efadd353e743bcebd52faaa5aa64e2fc0) [#9153](https://github.com/npm/cli/pull/9153) publish --access=private alias for restricted (#9153) (@reggi, @Copilot)
+* [`7068d42`](https://github.com/npm/cli/commit/7068d4286eb446fdb0ded08d15d7b5c3883d80f5) [#9360](https://github.com/npm/cli/pull/9360) Phase 1 of `allowScripts` opt-in install-script policy (#9360) (@JamieMagee)
+* [`979518d`](https://github.com/npm/cli/commit/979518dd198b9f2beb788c6c3cdcd1e055b03d22) [#9276](https://github.com/npm/cli/pull/9276) error on unknown configs, flags, and abbreviations (#9276) (@owlstronaut)
+### Bug Fixes
+* [`6efac6e`](https://github.com/npm/cli/commit/6efac6ead98af50c5a40fc45cb657bbee496a584) [#9453](https://github.com/npm/cli/pull/9453) config: clarify --all help so it's accurate for approve-scripts and deny-scripts (@JamieMagee)
+* [`c5292fa`](https://github.com/npm/cli/commit/c5292fa8a09a56b25394d393faf21e47ffb096c0) [#9422](https://github.com/npm/cli/pull/9422) use prerelease strategy without a bug (@owlstronaut)
+
 ## [11.0.0-pre.0.0](https://github.com/npm/cli/compare/config-v10.8.1...config-v11.0.0-pre.0.0) (2026-05-20)
 ### ⚠️ BREAKING CHANGES
 * `npm shrinkwrap` is removed, the `shrinkwrap` config alias is removed, and `npm-shrinkwrap.json` is no longer loaded or honored at the project root or from inside dependency tarballs. Rename project-root `npm-shrinkwrap.json` to `package-lock.json`; use `bundleDependencies` if you need to ship a locked dependency tree.
diff --git a/workspaces/config/package.json b/workspaces/config/package.json
index d9b6d353b8061..c41ee5bba5ad8 100644
--- a/workspaces/config/package.json
+++ b/workspaces/config/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/config",
-  "version": "11.0.0-pre.0",
+  "version": "11.0.0-pre.1",
   "files": [
     "bin/",
     "lib/"
diff --git a/workspaces/libnpmdiff/CHANGELOG.md b/workspaces/libnpmdiff/CHANGELOG.md
index 8ab00dc44161f..127a6e7d974d2 100644
--- a/workspaces/libnpmdiff/CHANGELOG.md
+++ b/workspaces/libnpmdiff/CHANGELOG.md
@@ -68,6 +68,19 @@
 
 * [workspace](https://github.com/npm/cli/releases/tag/arborist-v10.0.0-pre.0.0): `@npmcli/arborist@10.0.0-pre.0.0`
 
+## [9.0.0-pre.0](https://github.com/npm/cli/compare/libnpmdiff-v8.1.6-pre.0...libnpmdiff-v9.0.0-pre.0) (2026-06-04)
+### ⚠️ BREAKING CHANGES
+* allow-git and allow-remote now default to "none"; set them to "all" (or "root") to install git or user-supplied tarball-URL dependencies.
+### Features
+* [`caa3295`](https://github.com/npm/cli/commit/caa329568d32587e53f6e098f43b550dd2685034) [#9466](https://github.com/npm/cli/pull/9466) default allow-git and allow-remote to none (@owlstronaut)
+### Bug Fixes
+* [`c5292fa`](https://github.com/npm/cli/commit/c5292fa8a09a56b25394d393faf21e47ffb096c0) [#9422](https://github.com/npm/cli/pull/9422) use prerelease strategy without a bug (@owlstronaut)
+
+
+### Dependencies
+
+* [workspace](https://github.com/npm/cli/releases/tag/arborist-v10.0.0-pre.1): `@npmcli/arborist@10.0.0-pre.1`
+
 ## [8.1.0](https://github.com/npm/cli/compare/libnpmdiff-v8.0.13...libnpmdiff-v8.1.0) (2026-02-04)
 ### Features
 * [`f5f6cf7`](https://github.com/npm/cli/commit/f5f6cf7c9fc9315b96eb29c5c7d5ab63ad3a9122) [#8943](https://github.com/npm/cli/pull/8943) config: add --allow-git (@wraithgar)
diff --git a/workspaces/libnpmdiff/package.json b/workspaces/libnpmdiff/package.json
index c1ddf0669dd78..163ce96ab705e 100644
--- a/workspaces/libnpmdiff/package.json
+++ b/workspaces/libnpmdiff/package.json
@@ -1,6 +1,6 @@
 {
   "name": "libnpmdiff",
-  "version": "8.1.6-pre.0",
+  "version": "9.0.0-pre.0",
   "description": "The registry diff",
   "repository": {
     "type": "git",
@@ -47,7 +47,7 @@
     "tap": "^16.3.8"
   },
   "dependencies": {
-    "@npmcli/arborist": "^10.0.0-pre.0",
+    "@npmcli/arborist": "^10.0.0-pre.1",
     "@npmcli/installed-package-contents": "^4.0.0",
     "binary-extensions": "^3.0.0",
     "diff": "^8.0.2",
diff --git a/workspaces/libnpmexec/CHANGELOG.md b/workspaces/libnpmexec/CHANGELOG.md
index 96c16c5caaba7..d0243084fb07c 100644
--- a/workspaces/libnpmexec/CHANGELOG.md
+++ b/workspaces/libnpmexec/CHANGELOG.md
@@ -40,6 +40,19 @@
 
 * [workspace](https://github.com/npm/cli/releases/tag/arborist-v9.4.2): `@npmcli/arborist@9.4.2`
 
+## [10.3.0-pre.0](https://github.com/npm/cli/compare/libnpmexec-v10.2.6-pre.0...libnpmexec-v10.3.0-pre.0) (2026-06-04)
+### Features
+* [`64e3f79`](https://github.com/npm/cli/commit/64e3f798344e66f4c500636cb8aec5c8111a1fe9) [#9480](https://github.com/npm/cli/pull/9480) allowScripts tooling and inBundle hardening (#9480) (@JamieMagee)
+### Bug Fixes
+* [`6901bb1`](https://github.com/npm/cli/commit/6901bb185a5ca323d6d76561136a906a5023ea6d) [#9436](https://github.com/npm/cli/pull/9436) escape executable name in libnpmexec run-script (#9436) (@rootvector2)
+* [`c5292fa`](https://github.com/npm/cli/commit/c5292fa8a09a56b25394d393faf21e47ffb096c0) [#9422](https://github.com/npm/cli/pull/9422) use prerelease strategy without a bug (@owlstronaut)
+* [`6237783`](https://github.com/npm/cli/commit/62377832db5f91ae50856ef871c16e3d07c074e2) [#9408](https://github.com/npm/cli/pull/9408) exempt local project introspection from allow-directory (@owlstronaut)
+
+
+### Dependencies
+
+* [workspace](https://github.com/npm/cli/releases/tag/arborist-v10.0.0-pre.1): `@npmcli/arborist@10.0.0-pre.1`
+
 ## [10.2.6-pre.0.0](https://github.com/npm/cli/compare/libnpmexec-v10.2.5...libnpmexec-v10.2.6-pre.0.0) (2026-05-20)
 ### Bug Fixes
 * [`e9b0157`](https://github.com/npm/cli/commit/e9b0157b367aef184e7c4e99b90d9fcb8f0bff54) [#9255](https://github.com/npm/cli/pull/9255) libnpmexec: skip redundant reify for cached directory specs (#9255) (@manzoorwanijk)
diff --git a/workspaces/libnpmexec/package.json b/workspaces/libnpmexec/package.json
index f89938e254554..d95b675fda37f 100644
--- a/workspaces/libnpmexec/package.json
+++ b/workspaces/libnpmexec/package.json
@@ -1,6 +1,6 @@
 {
   "name": "libnpmexec",
-  "version": "10.2.6-pre.0",
+  "version": "10.3.0-pre.0",
   "files": [
     "bin/",
     "lib/"
@@ -61,7 +61,7 @@
   },
   "dependencies": {
     "@gar/promise-retry": "^1.0.0",
-    "@npmcli/arborist": "^10.0.0-pre.0",
+    "@npmcli/arborist": "^10.0.0-pre.1",
     "@npmcli/package-json": "^7.0.0",
     "@npmcli/run-script": "^10.0.0",
     "ci-info": "^4.0.0",
diff --git a/workspaces/libnpmfund/CHANGELOG.md b/workspaces/libnpmfund/CHANGELOG.md
index 69c6d37e3568b..a1c2285fce9c0 100644
--- a/workspaces/libnpmfund/CHANGELOG.md
+++ b/workspaces/libnpmfund/CHANGELOG.md
@@ -92,6 +92,15 @@
 
 * [workspace](https://github.com/npm/cli/releases/tag/arborist-v10.0.0-pre.0.0): `@npmcli/arborist@10.0.0-pre.0.0`
 
+## [7.0.20-pre.1](https://github.com/npm/cli/compare/libnpmfund-v7.0.20-pre.0...libnpmfund-v7.0.20-pre.1) (2026-06-04)
+### Bug Fixes
+* [`c5292fa`](https://github.com/npm/cli/commit/c5292fa8a09a56b25394d393faf21e47ffb096c0) [#9422](https://github.com/npm/cli/pull/9422) use prerelease strategy without a bug (@owlstronaut)
+
+
+### Dependencies
+
+* [workspace](https://github.com/npm/cli/releases/tag/arborist-v10.0.0-pre.1): `@npmcli/arborist@10.0.0-pre.1`
+
 ## [7.0.0](https://github.com/npm/cli/compare/libnpmfund-v7.0.0-pre.1...libnpmfund-v7.0.0) (2024-12-16)
 ### Features
 * [`a7bfc6d`](https://github.com/npm/cli/commit/a7bfc6df76882996ebb834dbca785fdf33b8c50d) [#7972](https://github.com/npm/cli/pull/7972) trigger release process (#7972) (@wraithgar)
diff --git a/workspaces/libnpmfund/package.json b/workspaces/libnpmfund/package.json
index 61e51bae8bb11..df58a7e331af3 100644
--- a/workspaces/libnpmfund/package.json
+++ b/workspaces/libnpmfund/package.json
@@ -1,6 +1,6 @@
 {
   "name": "libnpmfund",
-  "version": "7.0.20-pre.0",
+  "version": "7.0.20-pre.1",
   "main": "lib/index.js",
   "files": [
     "bin/",
@@ -46,7 +46,7 @@
     "tap": "^16.3.8"
   },
   "dependencies": {
-    "@npmcli/arborist": "^10.0.0-pre.0"
+    "@npmcli/arborist": "^10.0.0-pre.1"
   },
   "engines": {
     "node": "^20.17.0 || >=22.9.0"
diff --git a/workspaces/libnpmpack/CHANGELOG.md b/workspaces/libnpmpack/CHANGELOG.md
index 3a97997b5c241..fa98c604a4ce8 100644
--- a/workspaces/libnpmpack/CHANGELOG.md
+++ b/workspaces/libnpmpack/CHANGELOG.md
@@ -72,6 +72,20 @@
 
 * [workspace](https://github.com/npm/cli/releases/tag/arborist-v9.4.2): `@npmcli/arborist@9.4.2`
 
+## [10.0.0-pre.1](https://github.com/npm/cli/compare/libnpmpack-v10.0.0-pre.0...libnpmpack-v10.0.0-pre.1) (2026-06-04)
+### ⚠️ BREAKING CHANGES
+* allow-git and allow-remote now default to "none"; set them to "all" (or "root") to install git or user-supplied tarball-URL dependencies.
+### Features
+* [`caa3295`](https://github.com/npm/cli/commit/caa329568d32587e53f6e098f43b550dd2685034) [#9466](https://github.com/npm/cli/pull/9466) default allow-git and allow-remote to none (@owlstronaut)
+### Bug Fixes
+* [`76f8059`](https://github.com/npm/cli/commit/76f8059cd0d2482ef6c472b6c7058c51a1946d22) [#9446](https://github.com/npm/cli/pull/9446) flatten path separators in pack output filename (#9446) (@rootvector2)
+* [`c5292fa`](https://github.com/npm/cli/commit/c5292fa8a09a56b25394d393faf21e47ffb096c0) [#9422](https://github.com/npm/cli/pull/9422) use prerelease strategy without a bug (@owlstronaut)
+
+
+### Dependencies
+
+* [workspace](https://github.com/npm/cli/releases/tag/arborist-v10.0.0-pre.1): `@npmcli/arborist@10.0.0-pre.1`
+
 ## [10.0.0-pre.0.0](https://github.com/npm/cli/compare/libnpmpack-v9.1.5...libnpmpack-v10.0.0-pre.0.0) (2026-05-20)
 ### ⚠️ BREAKING CHANGES
 * npm pack and npm publish now error when a package's overrides apply to one or more of its bundled packages (bundledDependencies / bundleDependencies). Defining both fields is still allowed as long as no override actually targets a bundled package. To resolve the error, remove the affected entries from either overrides or the bundle.
diff --git a/workspaces/libnpmpack/package.json b/workspaces/libnpmpack/package.json
index a9b2352c6a7c9..8e8f2cce460de 100644
--- a/workspaces/libnpmpack/package.json
+++ b/workspaces/libnpmpack/package.json
@@ -1,6 +1,6 @@
 {
   "name": "libnpmpack",
-  "version": "10.0.0-pre.0",
+  "version": "10.0.0-pre.1",
   "description": "Programmatic API for the bits behind npm pack",
   "author": "GitHub Inc.",
   "main": "lib/index.js",
@@ -37,7 +37,7 @@
   "bugs": "https://github.com/npm/libnpmpack/issues",
   "homepage": "https://npmjs.com/package/libnpmpack",
   "dependencies": {
-    "@npmcli/arborist": "^10.0.0-pre.0",
+    "@npmcli/arborist": "^10.0.0-pre.1",
     "@npmcli/run-script": "^10.0.0",
     "npm-package-arg": "^13.0.0",
     "pacote": "^21.0.2"
diff --git a/workspaces/libnpmpublish/CHANGELOG.md b/workspaces/libnpmpublish/CHANGELOG.md
index d96607b5ab0e2..55548cc6cbb3b 100644
--- a/workspaces/libnpmpublish/CHANGELOG.md
+++ b/workspaces/libnpmpublish/CHANGELOG.md
@@ -1,5 +1,12 @@
 # Changelog
 
+## [12.0.0-pre.0](https://github.com/npm/cli/compare/libnpmpublish-v11.2.0-pre.0...libnpmpublish-v12.0.0-pre.0) (2026-06-04)
+### ⚠️ BREAKING CHANGES
+* `opts.access` now defaults to `null` instead of `'public'`. With `null`, libnpmpublish no longer sets an explicit access level in the publish payload, so new scoped packages are created as `restricted` (registry default) and republishes preserve the existing access level. Callers that want to force public access must now pass `access: 'public'` explicitly.
+### Bug Fixes
+* [`79b0c84`](https://github.com/npm/cli/commit/79b0c8490c708f12f87d9fee16878bc95ace31e6) [#9419](https://github.com/npm/cli/pull/9419) default opts.access to null to preserve registry behavior (@owlstronaut)
+* [`c5292fa`](https://github.com/npm/cli/commit/c5292fa8a09a56b25394d393faf21e47ffb096c0) [#9422](https://github.com/npm/cli/pull/9422) use prerelease strategy without a bug (@owlstronaut)
+
 ## [11.2.0-pre.0.0](https://github.com/npm/cli/compare/libnpmpublish-v11.1.3...libnpmpublish-v11.2.0-pre.0.0) (2026-05-20)
 ### Features
 * [`254809e`](https://github.com/npm/cli/commit/254809e318ee0046092d07d68a99154c3f672147) [#9201](https://github.com/npm/cli/pull/9201) npm stage (#9201) (@reggi, @Copilot)
diff --git a/workspaces/libnpmpublish/package.json b/workspaces/libnpmpublish/package.json
index 46e184b8fa795..e59978db1d9b9 100644
--- a/workspaces/libnpmpublish/package.json
+++ b/workspaces/libnpmpublish/package.json
@@ -1,6 +1,6 @@
 {
   "name": "libnpmpublish",
-  "version": "11.2.0-pre.0",
+  "version": "12.0.0-pre.0",
   "description": "Programmatic API for the bits behind npm publish and unpublish",
   "author": "GitHub Inc.",
   "main": "lib/index.js",
diff --git a/workspaces/libnpmversion/CHANGELOG.md b/workspaces/libnpmversion/CHANGELOG.md
index 868458696a4c1..4114c5933dad8 100644
--- a/workspaces/libnpmversion/CHANGELOG.md
+++ b/workspaces/libnpmversion/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Changelog
 
+## [9.0.0-pre.1](https://github.com/npm/cli/compare/libnpmversion-v9.0.0-pre.0...libnpmversion-v9.0.0-pre.1) (2026-06-04)
+### Bug Fixes
+* [`c5292fa`](https://github.com/npm/cli/commit/c5292fa8a09a56b25394d393faf21e47ffb096c0) [#9422](https://github.com/npm/cli/pull/9422) use prerelease strategy without a bug (@owlstronaut)
+### Documentation
+* [`d124c08`](https://github.com/npm/cli/commit/d124c0858da0b138cda2addcb0987b063ca86a47) [#9385](https://github.com/npm/cli/pull/9385) Document `npm_old_version` and `npm_new_version` environment variables (#9385) (@36degrees)
+
 ## [9.0.0-pre.0.0](https://github.com/npm/cli/compare/libnpmversion-v8.0.3...libnpmversion-v9.0.0-pre.0.0) (2026-05-20)
 ### ⚠️ BREAKING CHANGES
 * `npm shrinkwrap` is removed, the `shrinkwrap` config alias is removed, and `npm-shrinkwrap.json` is no longer loaded or honored at the project root or from inside dependency tarballs. Rename project-root `npm-shrinkwrap.json` to `package-lock.json`; use `bundleDependencies` if you need to ship a locked dependency tree.
diff --git a/workspaces/libnpmversion/package.json b/workspaces/libnpmversion/package.json
index d26e263a2579f..9b23597b584f2 100644
--- a/workspaces/libnpmversion/package.json
+++ b/workspaces/libnpmversion/package.json
@@ -1,6 +1,6 @@
 {
   "name": "libnpmversion",
-  "version": "9.0.0-pre.0",
+  "version": "9.0.0-pre.1",
   "main": "lib/index.js",
   "files": [
     "bin/",