chore: release 12.0.0-pre.1

[github-actions]

🤖 I have created a release beep boop

12.0.0-pre.1

12.0.0-pre.1 (2026-05-28)

⚠️ BREAKING CHANGES

• root `preinstall` now runs before dependencies are installed.
• unknown configs in .npmrc, unknown CLI flags, abbreviated flags, and single-hyphen multi-char shorthands now throw instead of warning.

Features

• f2e4a28 #9351 add a global npmignore file (feat: add a global npmignore file #9351) (@ljharb)
• c9be2d1 #9153 publish --access=private alias for restricted (feat: publish --access=private alias for restricted #9153) (@reggi, @Copilot)
• 7068d42 #9360 Phase 1 of allowScripts opt-in install-script policy (feat: Phase 1 of allowScripts opt-in install-script policy #9360) (@JamieMagee)
• 979518d #9276 error on unknown configs, flags, and abbreviations (feat!: error on unknown configs, flags, and abbreviations #9276) (@owlstronaut)

Bug Fixes

• b97edc0 #9430 audit: don't apply min-release-age before filter when verifying installed signatures (@JamieMagee)
• 080e3b2 #9425 block forbidden keys in Queryable setter to prevent prototype pollution (@12122J, @claude)
• c5292fa #9422 use prerelease strategy without a bug (@owlstronaut)
• 33aebaa #9410 fix typo of fullMetadata (@owlstronaut)
• 2a03860 #9267 run root preinstall before reify (@owlstronaut)
• c0fc549 #9372 config: pause progress spinner during interactive editor spawn (fix(config): pause progress spinner during interactive editor spawn #9372) (@Zelys-DFKH, @claude)

Documentation

• d124c08 #9385 Document npm_old_version and npm_new_version environment variables (docs: Document npm_old_version and npm_new_version environment variables #9385) (@36degrees)

Dependencies

• d28783e #9420 undici@6.26.0
• 7f6c6ef #9420 sigstore@4.1.1
• ee61b6e #9420 lru-cache@11.5.1
• d5ddef2 #9420 @sigstore/verify@3.1.1
• 11e7ac7 #9420 @sigstore/core@3.2.1
• 11cd66e #9420 @npmcli/agent@4.0.2
• 8be4c04 #9420 semver@7.8.1
• 577d61d #9420 make-fetch-happen@15.0.6

Chores

• da63c79 #9420 dev dependency updates (@owlstronaut)
• 5fc9bc0 #9393 sanitize newlines in flags table default and type values (chore: sanitize newlines in flags table default and type values #9393) (@reggi, @Copilot)
• workspace: @npmcli/arborist@10.0.0-pre.1
• workspace: @npmcli/config@11.0.0-pre.1
• workspace: libnpmdiff@8.1.6-pre.1
• workspace: libnpmexec@10.2.6-pre.1
• workspace: libnpmfund@7.0.20-pre.1
• workspace: libnpmpack@10.0.0-pre.1
• workspace: libnpmpublish@12.0.0-pre.0
• workspace: libnpmversion@9.0.0-pre.1

arborist: 10.0.0-pre.1

10.0.0-pre.1 (2026-05-28)

Features

• 7068d42 #9360 Phase 1 of allowScripts opt-in install-script policy (feat: Phase 1 of allowScripts opt-in install-script policy #9360) (@JamieMagee)

Bug Fixes

• a81f2f8 #9428 arborist: read install scripts from disk on lockfile installs instead of a sentinel (@JamieMagee)
• c5292fa #9422 use prerelease strategy without a bug (@owlstronaut)
• dac7ff6 #9399 arborist: drop self-link materialization for undeclared workspaces (fix(arborist): drop self-link materialization for undeclared workspaces #9399) (@manzoorwanijk)
• b77850e #9395 skip hidden lockfile save on dry run (fix: skip hidden lockfile save on dry run #9395) (@puneetdixit200, @puneetdixit200)

config: 11.0.0-pre.1

11.0.0-pre.1 (2026-05-28)

⚠️ BREAKING CHANGES

• unknown configs in .npmrc, unknown CLI flags, abbreviated flags, and single-hyphen multi-char shorthands now throw instead of warning.

Features

• f2e4a28 #9351 add a global npmignore file (feat: add a global npmignore file #9351) (@ljharb)
• c9be2d1 #9153 publish --access=private alias for restricted (feat: publish --access=private alias for restricted #9153) (@reggi, @Copilot)
• 7068d42 #9360 Phase 1 of allowScripts opt-in install-script policy (feat: Phase 1 of allowScripts opt-in install-script policy #9360) (@JamieMagee)
• 979518d #9276 error on unknown configs, flags, and abbreviations (feat!: error on unknown configs, flags, and abbreviations #9276) (@owlstronaut)

Bug Fixes

• c5292fa #9422 use prerelease strategy without a bug (@owlstronaut)

libnpmdiff: 8.1.6-pre.1

8.1.6-pre.1 (2026-05-28)

Bug Fixes

• c5292fa #9422 use prerelease strategy without a bug (@owlstronaut)

Dependencies

• workspace: @npmcli/arborist@10.0.0-pre.1

libnpmexec: 10.2.6-pre.1

10.2.6-pre.1 (2026-05-28)

Bug Fixes

• c5292fa #9422 use prerelease strategy without a bug (@owlstronaut)
• 6237783 #9408 exempt local project introspection from allow-directory (@owlstronaut)

Dependencies

• workspace: @npmcli/arborist@10.0.0-pre.1

libnpmfund: 7.0.20-pre.1

7.0.20-pre.1 (2026-05-28)

Bug Fixes

• c5292fa #9422 use prerelease strategy without a bug (@owlstronaut)

Dependencies

• workspace: @npmcli/arborist@10.0.0-pre.1

libnpmpack: 10.0.0-pre.1

10.0.0-pre.1 (2026-05-28)

Bug Fixes

• c5292fa #9422 use prerelease strategy without a bug (@owlstronaut)

Dependencies

• workspace: @npmcli/arborist@10.0.0-pre.1

libnpmpublish: 12.0.0-pre.0

12.0.0-pre.0 (2026-05-28)

⚠️ BREAKING CHANGES

• opts.access now defaults to null instead of 'public'. With null, libnpmpublish no longer sets an explicit access level in the publish payload, so new scoped packages are created as restricted (registry default) and republishes preserve the existing access level. Callers that want to force public access must now pass access: 'public' explicitly.

Bug Fixes

• 79b0c84 #9419 default opts.access to null to preserve registry behavior (@owlstronaut)
• c5292fa #9422 use prerelease strategy without a bug (@owlstronaut)

libnpmversion: 9.0.0-pre.1

9.0.0-pre.1 (2026-05-28)

Bug Fixes

• c5292fa #9422 use prerelease strategy without a bug (@owlstronaut)

Documentation

• d124c08 #9385 Document npm_old_version and npm_new_version environment variables (docs: Document npm_old_version and npm_new_version environment variables #9385) (@36degrees)

---

This PR was generated with Release Please. See documentation.

[github-actions]

Release Manager

Release workflow run: https://github.com/npm/cli/actions/runs/26603155536

Release Checklist for v12.0.0-pre.1

• 1. Checkout the release branch

  Ensure git status is not dirty on this branch after resetting deps. If it is, then something is probably wrong with the automated release process.

  gh pr checkout 9387 --force

  npm run resetdeps

  node scripts/git-dirty.js

• 2. Check CI status

  gh pr checks --watch

• 3. Log in to npm

  npm login sessions are short lived, so you will want to have a fresh one before you publish.

  npm login

• 4. Publish the CLI and workspaces

  Warning:
  This will publish all updated workspaces to latest, prerelease or backport depending on their version, and will publish the CLI with the dist-tag set to next-12.

  Note:
  The --test argument can optionally be omitted to run the publish process without running any tests locally.

  node scripts/publish.js --test

• 5. Optionally install and test npm@12.0.0-pre.1 locally

  npm i -g npm@12.0.0-pre.1

  npm --version
  npm whoami
  npm help install
  # etc

• 6. Trigger docs.npmjs.com update

  gh workflow run update-cli.yml --repo npm/documentation

• 7. Approve and Merge release PR

  gh pr review --approve

  gh pr merge --rebase

  git checkout latest

  git fetch

  git reset --hard origin/latest

  node . run resetdeps

• 8. Wait For Release Tags

  Warning:
  The remaining steps all require the GitHub tags and releases to be created first. These are done once this PR has been labelled with autorelease: tagged.

  Release Please will run on the just merged release commit and create GitHub releases and tags for each package. The release bot will will comment on this PR when the releases and tags are created.

  Note:
  The release workflow also includes the Node integration tests which do not need to finish before continuing.

  You can watch the release workflow in your terminal with the following command:

  gh run watch `gh run list -R npm/cli -w release -b latest -L 1 --json databaseId -q ".[0].databaseId"`
  

• 9. Mark GitHub Release as latest

  Warning:
  You must wait for CI to create the release tags before running this step. These are done once this PR has been labelled with autorelease: tagged.

  Release Please will make GitHub Releases for the CLI and all workspaces, but GitHub has UI affordances for which release should appear as the "latest", which should always be the CLI. To mark the CLI release as latest run this command:

  gh release -R npm/cli edit v12.0.0-pre.1 --latest

• 10. Open nodejs/node PR to update npm

  Warning:
  You must wait for CI to create the release tags before running this step. These are done once this PR has been labelled with autorelease: tagged.

  Trigger the Create Node PR action. This will open a PR on nodejs/node to the main branch.

  First, sync our fork of node with the upstream source:

  gh repo sync npm/node --source nodejs/node --force

  Then, if we are opening a PR against the latest version of node:

  gh workflow run create-node-pr.yml -R npm/cli -f spec=next-12

  For backport releases, you must target the correct Node branch using -f branch=<NODE_MAJOR>. Make sure you are targeting the right Node major version for this npm version.

  For example, this will create a PR on nodejs/node to the v16.x-staging branch:

  gh workflow run create-node-pr.yml -R npm/cli -f spec=next-12 -f branch=16

• 11. Label and fast-track nodejs/node PR

  Note:
  This requires being a nodejs collaborator. This could be you!

  • Thumbs-up reaction on the Fast-track comment
  • Add an LGTM / Approval
  • Add request-ci label to get it running CI
  • Add commit-queue label once everything is green
  • For backport releases, comment on the PR asking the Node.js team to add dont-land-on-v<NODE_MAJOR> labels for Node versions where this npm version should not be included