chore: release 12.0.0-pre.1

.release-please-manifest.json

@@ -1,15 +1,15 @@
 {
-  ".": "12.0.0-pre.0",
-  "workspaces/arborist": "10.0.0-pre.0",
+  ".": "12.0.0-pre.1",
+  "workspaces/arborist": "10.0.0-pre.1",
   "workspaces/libnpmaccess": "10.0.3",
-  "workspaces/libnpmdiff": "8.1.6-pre.0",
-  "workspaces/libnpmexec": "10.2.6-pre.0",
-  "workspaces/libnpmfund": "7.0.20-pre.0",
+  "workspaces/libnpmdiff": "9.0.0-pre.0",
+  "workspaces/libnpmexec": "10.3.0-pre.0",
+  "workspaces/libnpmfund": "7.0.20-pre.1",
   "workspaces/libnpmorg": "8.0.1",
-  "workspaces/libnpmpack": "10.0.0-pre.0",
-  "workspaces/libnpmpublish": "11.2.0-pre.0",
+  "workspaces/libnpmpack": "10.0.0-pre.1",
+  "workspaces/libnpmpublish": "12.0.0-pre.0",
   "workspaces/libnpmsearch": "9.0.1",
   "workspaces/libnpmteam": "8.0.2",
-  "workspaces/libnpmversion": "9.0.0-pre.0",
-  "workspaces/config": "11.0.0-pre.0"
+  "workspaces/libnpmversion": "9.0.0-pre.1",
+  "workspaces/config": "11.0.0-pre.1"
 }

AUTHORS

@@ -1016,3 +1016,14 @@ ecanturk <46566566+ecanturk@users.noreply.github.com>
 Max <135263966+verifizieren@users.noreply.github.com>
 Tea Reggi <reggi@github.com>
 raazkhnl <raazkhnl@gmail.com>
+Oliver Byford <oliver.byford@digital.cabinet-office.gov.uk>
+Zelys <zelys@dfkhelper.com>
+Jamie Magee <jamie.magee@gmail.com>
+Puneet Dixit <puneetdixit4321@gmail.com>
+12122J <javiergomezbu@gmail.com>
+Jamie Magee <jamagee@microsoft.com>
+Shaan Majid <70789625+shaanmajid@users.noreply.github.com>
+Minh Vu <vuhoangminh97@gmail.com>
+Dexter.k <164054284+rootvector2@users.noreply.github.com>
+meeech <4623+meeech@users.noreply.github.com>
+Abhinav <mrabhinav2k03@gmail.com>

CHANGELOG.md

@@ -1,5 +1,56 @@
 # Changelog
 
+## [12.0.0-pre.1](https://github.com/npm/cli/compare/v12.0.0-pre.0...v12.0.0-pre.1) (2026-06-04)
+### ⚠️ BREAKING CHANGES
+* allow-git and allow-remote now default to "none"; set them to "all" (or "root") to install git or user-supplied tarball-URL dependencies.
+* root \`preinstall\` now runs before dependencies are installed.
+* unknown configs in .npmrc, unknown CLI flags, abbreviated flags, and single-hyphen multi-char shorthands now throw instead of warning.
+### Features
+* [`5cd5150`](https://github.com/npm/cli/commit/5cd5150d3e85dcf5d246e7e5c9de216c2ff849db) [#9424](https://github.com/npm/cli/pull/9424) default-deny install scripts (allowScripts opt-in) [v12] (@JamieMagee)
+* [`64e3f79`](https://github.com/npm/cli/commit/64e3f798344e66f4c500636cb8aec5c8111a1fe9) [#9480](https://github.com/npm/cli/pull/9480) allowScripts tooling and inBundle hardening (#9480) (@JamieMagee)
+* [`caa3295`](https://github.com/npm/cli/commit/caa329568d32587e53f6e098f43b550dd2685034) [#9466](https://github.com/npm/cli/pull/9466) default allow-git and allow-remote to none (@owlstronaut)
+* [`f2e4a28`](https://github.com/npm/cli/commit/f2e4a285ec5ed43055462a47db6d330758a16e64) [#9351](https://github.com/npm/cli/pull/9351) add a global npmignore file (#9351) (@ljharb)
+* [`c9be2d1`](https://github.com/npm/cli/commit/c9be2d1efadd353e743bcebd52faaa5aa64e2fc0) [#9153](https://github.com/npm/cli/pull/9153) publish --access=private alias for restricted (#9153) (@reggi, @Copilot)
+* [`7068d42`](https://github.com/npm/cli/commit/7068d4286eb446fdb0ded08d15d7b5c3883d80f5) [#9360](https://github.com/npm/cli/pull/9360) Phase 1 of `allowScripts` opt-in install-script policy (#9360) (@JamieMagee)
+* [`979518d`](https://github.com/npm/cli/commit/979518dd198b9f2beb788c6c3cdcd1e055b03d22) [#9276](https://github.com/npm/cli/pull/9276) error on unknown configs, flags, and abbreviations (#9276) (@owlstronaut)
+### Bug Fixes
+* [`bf623e0`](https://github.com/npm/cli/commit/bf623e0a9ea568a47b777c563e48a097cb12e442) [#9473](https://github.com/npm/cli/pull/9473) validate registry path for allow-remote tarballs (@Abhinav-143x)
+* [`6be874b`](https://github.com/npm/cli/commit/6be874b88174e87f004b31cbbdda54d0d50cb399) [#9479](https://github.com/npm/cli/pull/9479) list pending scripts in approve-scripts when ignore-scripts is set (#9479) (@JamieMagee)
+* [`6603b2c`](https://github.com/npm/cli/commit/6603b2c5fdbb5d4ec504199b2f10b5b378168016) [#9469](https://github.com/npm/cli/pull/9469) suggest --allow-scripts for global installs in unreviewed-scripts warnings (#9469) (@JamieMagee)
+* [`fe820b6`](https://github.com/npm/cli/commit/fe820b6f2bbac9fdb3c8937d6d5bf6544bac55fc) [#9442](https://github.com/npm/cli/pull/9442) invalid issue template YAML indentation (#9442) (@fallintoplace)
+* [`fe41ae7`](https://github.com/npm/cli/commit/fe41ae7c6b38e7e9957b646bf379e2b5daae03f9) [#9404](https://github.com/npm/cli/pull/9404) show full parent command path in subcommand usage errors (#9404) (@shaanmajid)
+* [`75bf7de`](https://github.com/npm/cli/commit/75bf7decec60da0e68296356b8da82d3eb18f0bc) [#9456](https://github.com/npm/cli/pull/9456) respect allowScripts policy in prune, dedupe, uninstall, audit fix, and link (@JamieMagee)
+* [`6efac6e`](https://github.com/npm/cli/commit/6efac6ead98af50c5a40fc45cb657bbee496a584) [#9453](https://github.com/npm/cli/pull/9453) config: clarify --all help so it's accurate for approve-scripts and deny-scripts (@JamieMagee)
+* [`b97edc0`](https://github.com/npm/cli/commit/b97edc0193017800ecb1f26d212977729ca19739) [#9430](https://github.com/npm/cli/pull/9430) audit: don't apply min-release-age before filter when verifying installed signatures (@JamieMagee)
+* [`080e3b2`](https://github.com/npm/cli/commit/080e3b29e69d35d7b0f4823a9ac7ab4e1e4d1af6) [#9425](https://github.com/npm/cli/pull/9425) block forbidden keys in Queryable setter to prevent prototype pollution (@12122J, @claude)
+* [`c5292fa`](https://github.com/npm/cli/commit/c5292fa8a09a56b25394d393faf21e47ffb096c0) [#9422](https://github.com/npm/cli/pull/9422) use prerelease strategy without a bug (@owlstronaut)
+* [`33aebaa`](https://github.com/npm/cli/commit/33aebaa58541ac0af3882cc0b56f09b1b676740a) [#9410](https://github.com/npm/cli/pull/9410) fix typo of fullMetadata (@owlstronaut)
+* [`2a03860`](https://github.com/npm/cli/commit/2a03860fcafe92b22770fc554b25994b29bacbdb) [#9267](https://github.com/npm/cli/pull/9267) run root preinstall before reify (@owlstronaut)
+* [`c0fc549`](https://github.com/npm/cli/commit/c0fc54935af8e17a3a96cbdeac52bb4c597803b6) [#9372](https://github.com/npm/cli/pull/9372) config: pause progress spinner during interactive editor spawn (#9372) (@Zelys-DFKH, @claude)
+### Documentation
+* [`aac80dc`](https://github.com/npm/cli/commit/aac80dc00748863ed4bdec90a49e33b0d9d3ed93) [#9470](https://github.com/npm/cli/pull/9470) update minimum npm required for npm trust (@meeech)
+* [`d124c08`](https://github.com/npm/cli/commit/d124c0858da0b138cda2addcb0987b063ca86a47) [#9385](https://github.com/npm/cli/pull/9385) Document `npm_old_version` and `npm_new_version` environment variables (#9385) (@36degrees)
+### Dependencies
+* [`d28783e`](https://github.com/npm/cli/commit/d28783e3f00feecf4ca76b497e80ffd281af1655) [#9420](https://github.com/npm/cli/pull/9420) `undici@6.26.0`
+* [`7f6c6ef`](https://github.com/npm/cli/commit/7f6c6ef49023286bed47a334cc2bd0064cb8ec05) [#9420](https://github.com/npm/cli/pull/9420) `sigstore@4.1.1`
+* [`ee61b6e`](https://github.com/npm/cli/commit/ee61b6e8279b1d26d28a47613d66a9deb5c06529) [#9420](https://github.com/npm/cli/pull/9420) `lru-cache@11.5.1`
+* [`d5ddef2`](https://github.com/npm/cli/commit/d5ddef2571b5b26dfade31eb040dbd4a096aeed8) [#9420](https://github.com/npm/cli/pull/9420) `@sigstore/verify@3.1.1`
+* [`11e7ac7`](https://github.com/npm/cli/commit/11e7ac72c3ea0490f8d5edfb4bd5a60729d25b66) [#9420](https://github.com/npm/cli/pull/9420) `@sigstore/core@3.2.1`
+* [`11cd66e`](https://github.com/npm/cli/commit/11cd66e10490af0ef46ceeb5e8764a855580a2de) [#9420](https://github.com/npm/cli/pull/9420) `@npmcli/agent@4.0.2`
+* [`8be4c04`](https://github.com/npm/cli/commit/8be4c046fbbbb8ede02a288b727fcbf7470956fb) [#9420](https://github.com/npm/cli/pull/9420) `semver@7.8.1`
+* [`577d61d`](https://github.com/npm/cli/commit/577d61da646833994ecfda8b2f1dc993ec9b58d1) [#9420](https://github.com/npm/cli/pull/9420) `make-fetch-happen@15.0.6`
+### Chores
+* [`da63c79`](https://github.com/npm/cli/commit/da63c79be758fd9d3faa9f5edf962219c805c579) [#9420](https://github.com/npm/cli/pull/9420) dev dependency updates (@owlstronaut)
+* [`5fc9bc0`](https://github.com/npm/cli/commit/5fc9bc0f202aadedd7b123394560047671afca6b) [#9393](https://github.com/npm/cli/pull/9393) sanitize newlines in flags table default and type values (#9393) (@reggi, @Copilot)
+* [workspace](https://github.com/npm/cli/releases/tag/arborist-v10.0.0-pre.1): `@npmcli/arborist@10.0.0-pre.1`
+* [workspace](https://github.com/npm/cli/releases/tag/config-v11.0.0-pre.1): `@npmcli/config@11.0.0-pre.1`
+* [workspace](https://github.com/npm/cli/releases/tag/libnpmdiff-v9.0.0-pre.0): `libnpmdiff@9.0.0-pre.0`
+* [workspace](https://github.com/npm/cli/releases/tag/libnpmexec-v10.3.0-pre.0): `libnpmexec@10.3.0-pre.0`
+* [workspace](https://github.com/npm/cli/releases/tag/libnpmfund-v7.0.20-pre.1): `libnpmfund@7.0.20-pre.1`
+* [workspace](https://github.com/npm/cli/releases/tag/libnpmpack-v10.0.0-pre.1): `libnpmpack@10.0.0-pre.1`
+* [workspace](https://github.com/npm/cli/releases/tag/libnpmpublish-v12.0.0-pre.0): `libnpmpublish@12.0.0-pre.0`
+* [workspace](https://github.com/npm/cli/releases/tag/libnpmversion-v9.0.0-pre.1): `libnpmversion@9.0.0-pre.1`
+
 ## [12.0.0-pre.0.0](https://github.com/npm/cli/compare/v11.12.1...v12.0.0-pre.0.0) (2026-05-20)
 ### ⚠️ BREAKING CHANGES
 * npm view --json now always returns an array.

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "npm",
-  "version": "12.0.0-pre.0",
+  "version": "12.0.0-pre.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "npm",
-      "version": "12.0.0-pre.0",
+      "version": "12.0.0-pre.1",
       "bundleDependencies": [
         "@isaacs/string-locale-compare",
         "@npmcli/arborist",
@@ -84,8 +84,8 @@
       ],
       "dependencies": {
         "@isaacs/string-locale-compare": "^1.1.0",
-        "@npmcli/arborist": "^10.0.0-pre.0",
-        "@npmcli/config": "^11.0.0-pre.0",
+        "@npmcli/arborist": "^10.0.0-pre.1",
+        "@npmcli/config": "^11.0.0-pre.1",
         "@npmcli/fs": "^5.0.0",
         "@npmcli/map-workspaces": "^5.0.3",
         "@npmcli/metavuln-calculator": "^9.0.3",
@@ -109,15 +109,15 @@
         "is-cidr": "^6.0.4",
         "json-parse-even-better-errors": "^5.0.0",
         "libnpmaccess": "^10.0.3",
-        "libnpmdiff": "^8.1.6-pre.0",
-        "libnpmexec": "^10.2.6-pre.0",
-        "libnpmfund": "^7.0.20-pre.0",
+        "libnpmdiff": "^9.0.0-pre.0",
+        "libnpmexec": "^10.3.0-pre.0",
+        "libnpmfund": "^7.0.20-pre.1",
         "libnpmorg": "^8.0.1",
-        "libnpmpack": "^10.0.0-pre.0",
-        "libnpmpublish": "^11.2.0-pre.0",
+        "libnpmpack": "^10.0.0-pre.1",
+        "libnpmpublish": "^12.0.0-pre.0",
         "libnpmsearch": "^9.0.1",
         "libnpmteam": "^8.0.2",
-        "libnpmversion": "^9.0.0-pre.0",
+        "libnpmversion": "^9.0.0-pre.1",
         "make-fetch-happen": "^15.0.6",
         "minimatch": "^10.2.5",
         "minipass": "^7.1.3",
@@ -14689,7 +14689,7 @@
     },
     "workspaces/arborist": {
       "name": "@npmcli/arborist",
-      "version": "10.0.0-pre.0",
+      "version": "10.0.0-pre.1",
       "license": "ISC",
       "dependencies": {
         "@gar/promise-retry": "^1.0.0",
@@ -14747,7 +14747,7 @@
     },
     "workspaces/config": {
       "name": "@npmcli/config",
-      "version": "11.0.0-pre.0",
+      "version": "11.0.0-pre.1",
       "license": "ISC",
       "dependencies": {
         "@npmcli/map-workspaces": "^5.0.0",
@@ -14787,10 +14787,10 @@
       }
     },
     "workspaces/libnpmdiff": {
-      "version": "8.1.6-pre.0",
+      "version": "9.0.0-pre.0",
       "license": "ISC",
       "dependencies": {
-        "@npmcli/arborist": "^10.0.0-pre.0",
+        "@npmcli/arborist": "^10.0.0-pre.1",
         "@npmcli/installed-package-contents": "^4.0.0",
         "binary-extensions": "^3.0.0",
         "diff": "^8.0.2",
@@ -14809,11 +14809,11 @@
       }
     },
     "workspaces/libnpmexec": {
-      "version": "10.2.6-pre.0",
+      "version": "10.3.0-pre.0",
       "license": "ISC",
       "dependencies": {
         "@gar/promise-retry": "^1.0.0",
-        "@npmcli/arborist": "^10.0.0-pre.0",
+        "@npmcli/arborist": "^10.0.0-pre.1",
         "@npmcli/package-json": "^7.0.0",
         "@npmcli/run-script": "^10.0.0",
         "ci-info": "^4.0.0",
@@ -14840,10 +14840,10 @@
       }
     },
     "workspaces/libnpmfund": {
-      "version": "7.0.20-pre.0",
+      "version": "7.0.20-pre.1",
       "license": "ISC",
       "dependencies": {
-        "@npmcli/arborist": "^10.0.0-pre.0"
+        "@npmcli/arborist": "^10.0.0-pre.1"
       },
       "devDependencies": {
         "@npmcli/eslint-config": "^5.0.1",
@@ -14873,10 +14873,10 @@
       }
     },
     "workspaces/libnpmpack": {
-      "version": "10.0.0-pre.0",
+      "version": "10.0.0-pre.1",
       "license": "ISC",
       "dependencies": {
-        "@npmcli/arborist": "^10.0.0-pre.0",
+        "@npmcli/arborist": "^10.0.0-pre.1",
         "@npmcli/run-script": "^10.0.0",
         "npm-package-arg": "^13.0.0",
         "pacote": "^21.0.2"
@@ -14893,7 +14893,7 @@
       }
     },
     "workspaces/libnpmpublish": {
-      "version": "11.2.0-pre.0",
+      "version": "12.0.0-pre.0",
       "license": "ISC",
       "dependencies": {
         "@npmcli/package-json": "^7.0.0",
@@ -14950,7 +14950,7 @@
       }
     },
     "workspaces/libnpmversion": {
-      "version": "9.0.0-pre.0",
+      "version": "9.0.0-pre.1",
       "license": "ISC",
       "dependencies": {
         "@npmcli/git": "^7.0.0",

package.json

@@ -1,5 +1,5 @@
 {
-  "version": "12.0.0-pre.0",
+  "version": "12.0.0-pre.1",
   "name": "npm",
   "description": "a package manager for JavaScript",
   "workspaces": [
@@ -48,8 +48,8 @@
   },
   "dependencies": {
     "@isaacs/string-locale-compare": "^1.1.0",
-    "@npmcli/arborist": "^10.0.0-pre.0",
-    "@npmcli/config": "^11.0.0-pre.0",
+    "@npmcli/arborist": "^10.0.0-pre.1",
+    "@npmcli/config": "^11.0.0-pre.1",
     "@npmcli/fs": "^5.0.0",
     "@npmcli/map-workspaces": "^5.0.3",
     "@npmcli/metavuln-calculator": "^9.0.3",
@@ -73,15 +73,15 @@
     "is-cidr": "^6.0.4",
     "json-parse-even-better-errors": "^5.0.0",
     "libnpmaccess": "^10.0.3",
-    "libnpmdiff": "^8.1.6-pre.0",
-    "libnpmexec": "^10.2.6-pre.0",
-    "libnpmfund": "^7.0.20-pre.0",
+    "libnpmdiff": "^9.0.0-pre.0",
+    "libnpmexec": "^10.3.0-pre.0",
+    "libnpmfund": "^7.0.20-pre.1",
     "libnpmorg": "^8.0.1",
-    "libnpmpack": "^10.0.0-pre.0",
-    "libnpmpublish": "^11.2.0-pre.0",
+    "libnpmpack": "^10.0.0-pre.1",
+    "libnpmpublish": "^12.0.0-pre.0",
     "libnpmsearch": "^9.0.1",
     "libnpmteam": "^8.0.2",
-    "libnpmversion": "^9.0.0-pre.0",
+    "libnpmversion": "^9.0.0-pre.1",
     "make-fetch-happen": "^15.0.6",
     "minimatch": "^10.2.5",
     "minipass": "^7.1.3",

workspaces/arborist/CHANGELOG.md

@@ -1,5 +1,20 @@
 # Changelog
 
+## [10.0.0-pre.1](https://github.com/npm/cli/compare/arborist-v10.0.0-pre.0...arborist-v10.0.0-pre.1) (2026-06-04)
+### Features
+* [`5cd5150`](https://github.com/npm/cli/commit/5cd5150d3e85dcf5d246e7e5c9de216c2ff849db) [#9424](https://github.com/npm/cli/pull/9424) default-deny install scripts (allowScripts opt-in) [v12] (@JamieMagee)
+* [`64e3f79`](https://github.com/npm/cli/commit/64e3f798344e66f4c500636cb8aec5c8111a1fe9) [#9480](https://github.com/npm/cli/pull/9480) allowScripts tooling and inBundle hardening (#9480) (@JamieMagee)
+* [`7068d42`](https://github.com/npm/cli/commit/7068d4286eb446fdb0ded08d15d7b5c3883d80f5) [#9360](https://github.com/npm/cli/pull/9360) Phase 1 of `allowScripts` opt-in install-script policy (#9360) (@JamieMagee)
+### Bug Fixes
+* [`bf623e0`](https://github.com/npm/cli/commit/bf623e0a9ea568a47b777c563e48a097cb12e442) [#9473](https://github.com/npm/cli/pull/9473) validate registry path for allow-remote tarballs (@Abhinav-143x)
+* [`a105799`](https://github.com/npm/cli/commit/a10579959a5ed83d459f4c6d2f039ef5b62b4ff1) [#9461](https://github.com/npm/cli/pull/9461) arborist: link meta-only optional peers in linked strategy (@manzoorwanijk)
+* [`275bc69`](https://github.com/npm/cli/commit/275bc6934cc2d7c645e2c18dc2c12dc75d148e61) [#9441](https://github.com/npm/cli/pull/9441) arborist: clean up orphaned scoped store entries in linked strategy (@manzoorwanijk)
+* [`9f3c97f`](https://github.com/npm/cli/commit/9f3c97f83443ee00b9ca6beaf3e8cec95d3199ad) [#9452](https://github.com/npm/cli/pull/9452) sanitize package name in linked-strategy path construction (@owlstronaut)
+* [`a81f2f8`](https://github.com/npm/cli/commit/a81f2f8f4e89c202e57c32b60ee9d27020b49be0) [#9428](https://github.com/npm/cli/pull/9428) arborist: read install scripts from disk on lockfile installs instead of a sentinel (@JamieMagee)
+* [`c5292fa`](https://github.com/npm/cli/commit/c5292fa8a09a56b25394d393faf21e47ffb096c0) [#9422](https://github.com/npm/cli/pull/9422) use prerelease strategy without a bug (@owlstronaut)
+* [`dac7ff6`](https://github.com/npm/cli/commit/dac7ff6d3d62422bb8dad136fcb8f48e99a4594a) [#9399](https://github.com/npm/cli/pull/9399) arborist: drop self-link materialization for undeclared workspaces (#9399) (@manzoorwanijk)
+* [`b77850e`](https://github.com/npm/cli/commit/b77850e550a15c6205fdafc9e3843323b7135923) [#9395](https://github.com/npm/cli/pull/9395) skip hidden lockfile save on dry run (#9395) (@puneetdixit200, @puneetdixit200)
+
 ## [10.0.0-pre.0.0](https://github.com/npm/cli/compare/arborist-v9.4.2...arborist-v10.0.0-pre.0.0) (2026-05-20)
 ### ⚠️ BREAKING CHANGES
 * `npm shrinkwrap` is removed, the `shrinkwrap` config alias is removed, and `npm-shrinkwrap.json` is no longer loaded or honored at the project root or from inside dependency tarballs. Rename project-root `npm-shrinkwrap.json` to `package-lock.json`; use `bundleDependencies` if you need to ship a locked dependency tree.

workspaces/arborist/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/arborist",
-  "version": "10.0.0-pre.0",
+  "version": "10.0.0-pre.1",
   "description": "Manage node_modules trees",
   "dependencies": {
     "@gar/promise-retry": "^1.0.0",