stack.pulse
#stacks/npm/tooling

npm release notes, breaking changes, and upgrade notes.

The package manager for JavaScript StackPulse turns upstream changelogs into scannable summaries with risky changes, deprecations, migration notes, and source links.

source repo$track this stackplan upgraderss
releases
10
breaking
5
security
1
deprecated
0
migrations
1

Get source-linked upgrade notes and occasional sponsor recommendations. No GitHub login required.

what stackpulse tracks

npm releases from GitHub

StackPulse watches npm release notes and keeps the original source link close to every summary.

upgrade risk

Breaking changes and deprecations

Risky changes are separated from normal feature notes so you can scan upgrade impact before changing production dependencies.

migration notes

Source-backed next steps

Migration steps and recommended actions are only shown when the upstream release notes support them.

# latest_releases

source-backed
allbreakingdeprecationmigrationsecurity
v12.0.0-pre.1highbreakingmigrationfeaturesecurityprereleaseJun 19, 2026

v12.0.0-pre.1

This prerelease introduces breaking changes around security defaults and git protocol handling, alongside new features for dependency patching and script execution policies. The update also changes npm's default license behavior and requires explicit opt-in for git/remote dependencies.

affected

All users installing git dependencies or relying on permissive script execution policies need to review configurations due to new security defaults.

action

Review breaking changes, test with pre-release, and update configurations for git dependencies and script execution policies.

release_signals
-Preserved https protocol when working with git.
-Changed default license for npm init from ISC to empty string (omitted field).
-Updated node engine requirements to support node ^22.22.2 || ^24.15.0 || >=26.0.0.
-Changed allow-git and allow-remote defaults to "none" (previously allowed by default).
-Unknown configs in .npmrc, unknown CLI flags, and abbreviated flags now throw errors instead of warnings.
!Default-deny install scripts policy mitigates arbitrary script execution risks.
!Hardened inBundle security with allowScripts tooling.
!Blocked forbidden keys in Queryable setter to prevent prototype pollution.
!Default deny for git/remote dependencies reduces supply chain risks.
!Warns when min-release-age blocks an audit fix (security update validation).
+Added packageExtensions for root-owned dependency manifest repairs.
+Introduced native dependency patching with commands like npm patch add/commit/update/ls/rm.
+Added min-release-age-exclude config to bypass audit fix restrictions.
+Implemented default-deny install scripts policy with allowScripts opt-in.
+Added a global npmignore file feature.
migration_steps4 steps
  1. 01Explicitly set allow-git/allow-remote to "all" if you need git/remote dependencies.
  2. 02Update node version if using unsupported versions (<22.22.2, <24.15.0, or <26.0.0).
  3. 03Migrate from ISC license to preferred license or empty string for new packages.
  4. 04Opt-in to allowScripts if you require install scripts.
view source on github->