stack.pulse
#stacks/npm/tooling

npm release notes, breaking changes, and upgrade notes.

The package manager for JavaScript StackPulse turns upstream changelogs into scannable summaries with risky changes, deprecations, migration notes, and source links.

source repo$track this stackplan upgraderss
releases
10
breaking
5
security
1
deprecated
0
migrations
1

Get source-linked upgrade notes and occasional sponsor recommendations. No GitHub login required.

what stackpulse tracks

npm releases from GitHub

StackPulse watches npm release notes and keeps the original source link close to every summary.

upgrade risk

Breaking changes and deprecations

Risky changes are separated from normal feature notes so you can scan upgrade impact before changing production dependencies.

migration notes

Source-backed next steps

Migration steps and recommended actions are only shown when the upstream release notes support them.

# latest_releases

source-backed
allbreakingdeprecationmigrationsecurity
libnpmversion-v9.0.0-pre.1criticalbreakingfeatureprereleaseJun 19, 2026

libnpmversion: v9.0.0-pre.1

This pre-release introduces new Node.js engine requirements and updates dependencies, marking breaking changes for users on unsupported Node versions.

affected

Users with Node.js versions below 22.22.2, between 24.15.0 and 26.0.0, or older than 24.15.0 are affected.

action

Upgrade Node.js to a supported version before using this version of npm.

release_signals
-npm now requires Node.js versions ^22.22.2, ^24.15.0, or >=26.0.0, breaking compatibility with older versions
+Bumps Node.js engine range support to require node ^22.22.2, ^24.15.0, or >=26.0.0
view source on github->
libnpmteam-v9.0.0-pre.0criticalbreakingfeatureprereleaseJun 19, 2026

libnpmteam: v9.0.0-pre.0

This prerelease version of libnpmteam introduces breaking changes by updating the supported Node.js engine range and includes dependency updates.

affected

Users running Node.js versions outside the new supported range will need to upgrade.

action

Upgrade Node.js to a supported version if necessary.

release_signals
-`npm` now supports Node.js `^22.22.2 || ^24.15.0 || >=26.0.0`, which may require users to upgrade their Node.js version.
+Bump to new Node.js engine range: `^22.22.2 || ^24.15.0 || >=26.0.0`
view source on github->
libnpmsearch-v10.0.0-pre.0criticalbreakingprereleaseJun 19, 2026

libnpmsearch: v10.0.0-pre.0

This prerelease version updates the Node.js engine requirements and bumps dependencies. The main change is the new Node.js version support range.

affected

Users running Node.js versions outside the new engine range (^22.22.2 || ^24.15.0 || >=26.0.0) will be affected.

action

Update Node.js to a supported version before upgrading to this release.

release_signals
-Supports Node.js versions ^22.22.2 || ^24.15.0 || >=26.0.0
view source on github->
libnpmpublish-v12.0.0-pre.0highbreakingfeatureprereleaseJun 19, 2026

libnpmpublish: v12.0.0-pre.0

This pre-release includes breaking changes to Node.js engine support and default access behavior, introduces packageExtensions for dependency manifest repairs and native dependency patching, and updates multiple dependencies.

affected

Users with Node.js versions outside the new supported range will need to upgrade, and callers that relied on default public access must now explicitly specify access.

action

Check Node.js version compatibility and explicitly pass access: 'public' if needed when publishing packages.

release_signals
-Support for Node.js versions narrowed to ^22.22.2 || ^24.15.0 || >=26.0.0
-opts.access now defaults to null instead of 'public', requiring explicit passing of access: 'public'
+packageExtensions for root-owned dependency manifest repairs
+native dependency patching (npm patch add/commit/update/ls/rm)
+bump to new node engine range
view source on github->
v12.0.0-pre.1highbreakingmigrationfeaturesecurityprereleaseJun 19, 2026

v12.0.0-pre.1

This prerelease introduces breaking changes around security defaults and git protocol handling, alongside new features for dependency patching and script execution policies. The update also changes npm's default license behavior and requires explicit opt-in for git/remote dependencies.

affected

All users installing git dependencies or relying on permissive script execution policies need to review configurations due to new security defaults.

action

Review breaking changes, test with pre-release, and update configurations for git dependencies and script execution policies.

release_signals
-Preserved https protocol when working with git.
-Changed default license for npm init from ISC to empty string (omitted field).
-Updated node engine requirements to support node ^22.22.2 || ^24.15.0 || >=26.0.0.
-Changed allow-git and allow-remote defaults to "none" (previously allowed by default).
-Unknown configs in .npmrc, unknown CLI flags, and abbreviated flags now throw errors instead of warnings.
!Default-deny install scripts policy mitigates arbitrary script execution risks.
!Hardened inBundle security with allowScripts tooling.
!Blocked forbidden keys in Queryable setter to prevent prototype pollution.
!Default deny for git/remote dependencies reduces supply chain risks.
!Warns when min-release-age blocks an audit fix (security update validation).
+Added packageExtensions for root-owned dependency manifest repairs.
+Introduced native dependency patching with commands like npm patch add/commit/update/ls/rm.
+Added min-release-age-exclude config to bypass audit fix restrictions.
+Implemented default-deny install scripts policy with allowScripts opt-in.
+Added a global npmignore file feature.
migration_steps4 steps
  1. 01Explicitly set allow-git/allow-remote to "all" if you need git/remote dependencies.
  2. 02Update node version if using unsupported versions (<22.22.2, <24.15.0, or <26.0.0).
  3. 03Migrate from ISC license to preferred license or empty string for new packages.
  4. 04Opt-in to allowScripts if you require install scripts.
view source on github->
libnpmpack-v9.1.10lowfeatureJun 11, 2026

libnpmpack: v9.1.10

This release includes a bug fix related to path separators in pack output filenames and updates the dependency on `@npmcli/arborist` to version 9.8.0.

affected

Users who encounter issues with path separators in pack output filenames will benefit from this fix.

action

Update to version 9.1.10 to resolve the path separator issue.

view source on github->
libnpmfund-v7.0.24lowJun 11, 2026

libnpmfund: v7.0.24

This release updates the dependency on `@npmcli/arborist` to version 9.8.0.

affected

Users relying on `libnpmfund` with `@npmcli/arborist` will be affected by this dependency update.

action

Ensure compatibility with `@npmcli/arborist@9.8.0`.

view source on github->
libnpmexec-v10.3.0mediumfeatureJun 11, 2026

libnpmexec: v10.3.0

This release introduces hardening for `allowScripts` tooling and `inBundle` functionality, along with a bug fix for escaping executable names in `libnpmexec run-script`.

affected

Developers using `libnpmexec` for script execution and tooling configurations are affected.

action

Update to version 10.3.0 to benefit from the latest fixes and improvements.

release_signals
+Hardening for `allowScripts` tooling and `inBundle` functionality
view source on github->
libnpmdiff-v8.1.10lowJun 11, 2026

libnpmdiff: v8.1.10

This release updates the dependency on `@npmcli/arborist` to version 9.8.0.

affected

Users relying on `libnpmdiff` may be affected by changes in the updated `@npmcli/arborist` dependency.

view source on github->
v11.17.0mediumfeatureJun 11, 2026

v11.17.0

This release introduces new configuration options for release age exclusions and script hardening, along with several bug fixes related to script approval and JSON output.

affected

Users relying on script approvals, JSON outputs, or release age exclusions will be affected.

action

Update to the latest version to benefit from new features and bug fixes.

release_signals
+Added `min-release-age-exclude` config for release age exclusions
+Enhanced `allowScripts` tooling and `inBundle` hardening
view source on github->