CHANGELOG.md

Changelog

9.4.2 (2026-03-18)

Bug Fixes

• 21ea382 #9110 arborist: resolve sibling override sets via common ancestor (#9110) (@manzoorwanijk)
• 51365b1 #9107 arborist: update store symlinks when hash changes in linked strategy (#9107) (@manzoorwanijk)
• 8e0a731 #9108 arborist: skip linked actual tree diff in package-lock-only mode (#9108) (@manzoorwanijk)

9.4.1 (2026-03-10)

Bug Fixes

• 5b7c0cc #9096 arborist: exclude store nodes from :root > * in linked strategy (#9096) (@manzoorwanijk)
• 3b70a9d #9097 arborist: simplify rootDeclaredDeps initialization (#9097) (@manzoorwanijk)
• c7702d0 #9094 arborist: fix non-idempotent linked install with workspace projects (#9094) (@manzoorwanijk)
• 1a744b5 #9081 arborist: omit root dev deps in linked strategy when shared with workspaces (#9081) (@manzoorwanijk)
• ff51827 #9076 arborist: do not hoist undeclared workspaces in linked strategy (#9076) (@manzoorwanijk)
• 1206f8b #9069 consolidate isolated node/link attributes (#9069) (@wraithgar)
• a774fb7 #9066 arborist: respect --omit flag in linked install strategy (#9066) (@manzoorwanijk)
• 8614b2a #9031 arborist: avoid full reinstall on subsequent linked strategy runs (#9031) (@manzoorwanijk)
• 16fbe13 #9030 resolve relative file: dependencies correctly with install-strategy=linked (#9030) (@manzoorwanijk)
• 983742b #9055 isolated mode code cleanup (#9055) (@wraithgar)
• a29aeee #9028 arborist: retry bin-links on Windows EPERM (#9028) (@manzoorwanijk)
• 10d5302 #9051 arborist: unwrap Link nodes in legacyPeerDeps for linked strategy (#9051) (@manzoorwanijk)
• 94bfef5 #9044 audit: exclude locally linked packages from vulnerability audit (#9044) (@lucas-gomes-santana)
• 26fa40e #9041 fix workspace-filtered install with linked strategy (@owlstronaut)

9.4.0 (2026-02-25)

Features

• 4fcd352 #9017 add :type(registry) to query selector syntax (#9017) (@wraithgar)

Bug Fixes

• 880ecb7 #9013 arborist: skip postinstall on store links in linked strategy (#9013) (@manzoorwanijk)
• 07e6edd #9025 save libc field to package-lock.json (@owlstronaut)
• a2154cd #8996 linked strategy fixes for scoped packages, aliases, and peer deps (#8996) (@manzoorwanijk)

9.3.1 (2026-02-19)

Bug Fixes

• bb135cc #8981 arborist: fix peerOptional dependency resolution in buildIdealTree (#8981) (@Saibamen, @cursoragent)

Chores

• 40fcab4 #8991 @npmcli/template-oss@4.29.0 (@wraithgar)

9.3.0 (2026-02-11)

Features

• 7c038b7 #8968 add support for git-256 sha lengths (#8968) (@wraithgar)

9.2.0 (2026-02-04)

Features

• f5f6cf7 #8943 config: add --allow-git (@wraithgar)

9.1.10 (2026-01-21)

Dependencies

• f951820 #8919 common-ancestor-path@2.0.0

9.1.9 (2025-12-09)

Bug Fixes

• 0765289 #8721 handle ENOTEMPTY errors in moveFile (@keegancsmith)

9.1.8 (2025-11-25)

Bug Fixes

• b118364 #8760 undefined override set conflicts shouldn't error (@owlstronaut)

Dependencies

• f963223 #8770 proggy@4.0.0
• f51e4aa #8770 nopt@9.0.0
• 2d15040 #8770 @npmcli/query@5.0.0
• 58650dc #8770 @npmcli/fs@5.0.0

9.1.7 (2025-11-19)

Bug Fixes

• 3225fa3 #8737 fix usage of path of custom registry (#8737) (@flj2mu2)
• e9f0418 #8689 arborist: improve override conflict detection with semantic comparison (#8689) (@Artur-)
• 05319f0 #8677 code cleanup (#8677) (@wraithgar)
• 49a4eef #8676 use look behind regex for trailing slash stripping (#8676) (@wraithgar)
• b1aee62 #8645 dep flag calculation (#8645) (@liamcmitchell)

Dependencies

• 8cc9f70 #8723 ssri@13.0.0
• 59b3c6a #8723 @npmcli/redact@4.0.0
• 6cb77df #8723 @npmcli/installed-package-contents@4.0.0
• 05ac7a7 #8723 proc-log@6.0.0
• 0a74f6d #8723 bin-links@6.0.0
• 041b9b2 #8723 parse-conflict-json@5.0.1
• a1b0fea #8723 @npmcli/name-from-folder@4.0.0
• 3404dca #8723 npm-install-checks@8.0.0
• 542fcf3 #8723 @npmcli/node-gyp@5.0.0

9.1.6 (2025-10-08)

Bug Fixes

• 0a8b8c2 #8621 typo bugs and other spelling fixes (#8621) (@jsoref)
• 54fd27f #8602 refactor node.ideallyInert to node.inert (#8602) (@liamcmitchell)
• 13d8df6 #8537 optional set calculation (#8537) (@liamcmitchell)

Chores

• 180e9f7 #8610 fix spelling in workspaces/arborist (#8610) (@jsoref)
• 91393de #8599 Update references for arborist to cli (#8599) (@jsoref)

9.1.5 (2025-09-23)

Bug Fixes

• 60aa94b #8576 attach path to json parse error (@wraithgar)
• 1eedf82 #8576 use @npmcli/package-json to parse package.json (@wraithgar)
• f6c868d #8566 calculate omit in diff (#8566) (@liamcmitchell, Liam Mitchell)
• d389614 #8579 corrects peer dependency flag propagation (@owlstronaut)

Dependencies

• 566f1b7 #8576 minimatch@10.0.3
• ea7ca5f #8576 lru-cache@11.2.1
• bf6b686 #8576 npm-package-arg@13.0.0
• 9392488 #8576 npm-package-manifest@11.0.1
• 633c4ed #8576 hosted-git-info@9.0.0
• 1149971 #8576 npm-registry-fetch@19.0.0
• 6221e27 #8576 @npmcli/metavuln-calculator@9.0.2
• da81a37 #8576 cacache@20.0.1
• 6b4c5f9 #8576 @npmcli/run-script@10.0.0
• b6bb9ae #8576 pacote@21.0.3
• 1b4433f #8576 @npmcli/map-workspaces@5.0.0
• ceae674 #8576 @npmcli/package-json@7.0.1
• 4f37534 #8576 remove read-package-json-fast

Chores

• 4059dfa #8576 properly use arborist and cache in test (@owlstronaut)
• 402a0ab #8576 @npmcli/template-oss@4.25.1 (@wraithgar)

9.1.4 (2025-09-03)

Bug Fixes

• 208c06e #8448 peer edge crash due to no parent or detached node (#8448) (@milaninfy)
• 3b54e9c #8534 installLinks works with transitive external file dependencies (#8534) (@owlstronaut)
• ed71acb #8473 arborist: #8472 Keeps the registry protocol when modifying resolve URL (#8473) (@Jeepsboucher, Jean-Philippe Boucher)

Chores

• 619d43e #8540 fix pruner and reify tests for optional peer deps (#8540) (@liamcmitchell, Liam Mitchell)

9.1.3 (2025-07-24)

Bug Fixes

• 6dbe21a #8436 local transitive dependencies with --install-links=true (@owlstronaut)
• 8042af3 #8431 prune optional peer dependencies that are no longer explicitly depended on (#8431) (@G-Rath)
• c457c75 #8430 remove duplicate loop (#8430) (@G-Rath)
• f7b056f #8400 clean up audit-report code (#8400) (@wraithgar)
• f163d01 #8372 use omit when checking ideal tree engine (#8372) (@owlstronaut)

Chores

• 3f60b5f #8383 @npmcli/template-oss@4.24.4 (#8383) (@wraithgar)
• 01f8cc6 #8381 @npmcli/template-oss@4.24.3 (#8381) (@wraithgar)

9.1.2 (2025-06-11)

Bug Fixes

• 887385d #8356 arborist: use hosted-git-info to correctly parse resolved git urls (#8356) (@milaninfy)

9.1.1 (2025-05-21)

Bug Fixes

• 8f6eb6b #8312 arborist: fix file dep making wrong link (#8312) (@alexsch01)

9.1.0 (2025-05-15)

Features

• 57aa89f #8265 use run by default and run-script as the alias (#8265) (@owlstronaut)

Bug Fixes

• d5bcf38 #8268 arborist: Add better error message when lockfile is malformed (#8268) (@owlstronaut)
• 5e1fed9 #8290 arborist: improve README markdown (#8290) (@mbtools)
• 0886e7a #8222 preserve registry path when replacing a host (@owlstronaut)
• 815311b #8206 arborist: workspaces correctly path to file: packages from overrides (@owlstronaut)

9.0.2 (2025-04-08)

Bug Fixes

• a96d8f6 #8184 arborist: omit failed optional dependencies from installed deps (#8184) (@owlstronaut, @zkat)
• 04f53ce #8180 arborist: safely fallback on unresolved $ dependency references (#8180) (@owlstronaut)
• 885accd #8185 arborist: only replace hostname for resolved URL (#8185) (@billy-briggs-dev)
• 8b7bb12 #8168 arborist: Allow downgrades to hoisted version dedupe workspace i… (#8168) (@owlstronaut)
• 1642556 #8160 arborist: workspaces respect overrides on subsequent installs (#8160) (@owlstronaut)

Chores

• 88a7b52 #8174 add load-virtual and reify tests for workspace override test coverage (#8174) (@owlstronaut, @TrevorBurnham)

9.0.1 (2025-03-05)

Bug Fixes

• b9225e5 #8089 resolve override conflicts and apply correct versions (#8089) (@owlstronaut)
• d586f3b #8117 remove duplicate var (#8117) (@TrevorBurnham)
• 811ca29 #8115 stop working around bug fixed in npm-package-arg@12.0.2 (@TrevorBurnham)

9.0.0 (2024-12-16)

Features

• a7bfc6d #7972 trigger release process (#7972) (@wraithgar)

Chores

• a07f4e0 #7976 @npmcli/template-oss@4.23.6 (@wraithgar)

9.0.0-pre.1 (2024-12-06)

⚠️ BREAKING CHANGES

• Upon publishing, in order to apply a default "latest" dist tag, the command now retrieves all prior versions of the package. It will require that the version you're trying to publish is above the latest semver version in the registry, not including pre-release tags.
• bun.lockb files are now included in the strict ignore list during packing

Features

• f3ac7b7 #7939 no implicit latest tag on publish when latest > version (#7939) (@reggi, @ljharb)

Dependencies

• c0bcc2a #7955 walk-up-path@4.0.0
• 4bf1901 #7945 @npmcli/metavuln-calculator@9.0.0
• ca84b22 #7945 pacote@21.0.0

9.0.0-pre.0 (2024-11-26)

⚠️ BREAKING CHANGES

• --ignore-scripts now applies to all lifecycle scripts, include prepare
• npm will no longer fall back to the old audit endpoint if the bulk advisory request fails.
• @npmcli/arborist now supports node ^20.17.0 || >=22.9.0

Features

• 6995303 #7850 adds --ignore-scripts flag to pack (@reggi)

Bug Fixes

• 080a0f2 #7911 remove old audit fallback request (@wraithgar)
• 3ffc08b #7831 for @npmcli/arborist sets node engine range to ^20.17.0 || >=22.9.0 (@reggi)

Dependencies

• 7dbef6f #7850 pacote@20.0.0
• 75a3f12 #7859 remove unused deps (#7859)

Chores

• 6edfe2f #7937 @npmcli/template-oss@4.23.5 (@wraithgar)

8.0.0 (2024-10-03)

⚠️ BREAKING CHANGES

• @npmcli/arborist now supports node ^18.17.0 || >=20.5.0

Features

• 4d57928 #7766 devEngines (#7766) (@reggi)

Bug Fixes

• 365580a #7803 align @npmcli/arborist to npm 10 node engine range (@reggi)

Dependencies

• 5795987 #7803 update proggy@3.0.0
• 99ccae3 #7803 update bin-links@5.0.0
• 75786ad #7803 update @npmcli/query@4.0.0
• 1c25a1d #7803 update @npmcli/node-gyp@4.0.0
• 2d7fc3d #7803 update @npmcli/name-from-folder@3.0.0
• 1e09334 #7803 update @npmcli/metavuln-calculator@8.0.0
• 820e983 #7803 update @npmcli/installed-package-contents@3.0.0
• 9cd6603 #7803 update read-package-json-fast@4.0.0
• 8206c4f #7803 update ssri@12.0.0
• f6909a0 #7803 update proc-log@5.0.0
• f9b2e18 #7803 update parse-conflict-json@4.0.0
• e7ab206 #7803 update pacote@19.0.0
• d13a20b #7803 update npm-registry-fetch@18.0.1
• 092f41f #7803 update npm-pick-manifest@10.0.0
• 50a7bc8 #7803 update npm-package-arg@12.0.0
• 591130d #7803 update npm-install-checks@7.1.0
• 105fa2b #7803 update nopt@8.0.0
• 7214149 #7803 update json-parse-even-better-errors@4.0.0
• 6deae9e #7803 update hosted-git-info@8.0.0
• 034c729 #7803 update cacache@19.0.1
• 538a4cc #7803 update @npmcli/run-script@9.0.1
• b80d048 #7803 update @npmcli/redact@3.0.0
• 2076368 #7803 update @npmcli/package-json@6.0.1
• feac87c #7803 update @npmcli/map-workspaces@4.0.1
• dd90f9e #7803 update @npmcli/fs@4.0.0

Chores

• be1e6da #7803 update minify-registry-metadata@4.0.0 (@reggi)
• 2072705 #7803 update @npmcli/eslint-config@5.0.1 (@reggi)
• 8035725 #7756 @npmcli/template-oss@4.23.3 (@wraithgar)

7.5.4 (2024-07-09)

Bug Fixes

• 6f33d74 #7579 arborist: safeguard against null node.target in flag calculation (#7579) (@AmirSa12)
• a8e666e #7602 arborist: condition to include name field in package-lock fixed (#7602) (@milaninfy)

7.5.3 (2024-05-29)

Bug Fixes

• 2d1d8d0 #7559 adds node: specifier to all native node modules (#7559) (@reggi)

Chores

• 4a36d78 #7568 fix linting in arborist debugger (@wraithgar)

7.5.2 (2024-05-15)

Bug Fixes

• 12f103c #7533 add first param titles to logs where missing (#7533) (@lukekarrys)
• e290352 #7499 revert DepsQueue to re-sort on pop() (#7499) (@lukekarrys)
• 56a27fa #7494 avoid caching manifests as promises (@wraithgar)
• 722c0fa #7463 limit packument cache size based on heap size (@wraithgar)
• effe910 #7475 don't omit license from stored manifests (#7475) (@lukekarrys)

Dependencies

• fd42986 #7498 @npmcli/fs@3.1.1
• ea0b07d #7482 pacote@18.0.6
• 5b2317b #7463 add lru-cache
• 7e15b6d #7480 @npmcli/metavuln-calculator@7.1.1
• 8b20f8c #7480 ssri@10.0.6
• a9a6dcd #7480 pacote@18.0.5
• e2fdb65 #7480 npm-pick-manifest@9.0.1
• e71f541 #7480 nopt@7.2.1
• 18c3b40 #7480 json-parse-even-better-errors@3.0.2
• 714e3e1 #7480 hosted-git-info@7.0.2
• f94d672 #7480 cacache@18.0.3
• 43331e4 #7480 bin-links@4.0.4
• 63ef498 #7457 npm-registry-fetch@17.0.1

Chores

• 9c4d3c4 #7467 template-oss-apply (@lukekarrys)
• 2b7ec54 #7467 template-oss@4.22.0 (@lukekarrys)

7.5.1 (2024-04-30)

Bug Fixes

• a1b95eb #7453 linting: no-unused-vars (@wraithgar)
• abcbc54 #7430 reify: cleanup of Symbols (#7430) (@wraithgar)
• 57ebebf #7418 update repository.url in package.json (#7418) (@wraithgar)

Dependencies

• 80eec03 #7453 @npmcli/redact@2.0.0
• a7145d4 #7453 npm-registry-fetch@17.0.0
• 9da5738 #7437 @npmcli/run-script@8.1.0 (#7437)

7.5.0 (2024-04-25)

Features

• 9123de4 #7373 do all output over proc-log events (@lukekarrys)
• 9622597 #7339 refactor terminal display (#7339) (@lukekarrys)

Bug Fixes

• 78447d7 #7399 prefer fs/promises over promisify (#7399) (@lukekarrys)
• 6512112 #7378 use proc-log for all timers (@lukekarrys)

Dependencies

• 36adff3 #7408 pacote@18.0.2
• 486d46c #7408 @npmcli/installed-package-contents@2.1.0
• 157d0ae #7408 @npmcli/package-json@5.1.0
• fc6e291 #7392 proc-log@4.2.0 (#7392)
• 38ed048 #7378 @npmcli/metavuln-calculator@7.1.0
• 7678a3d #7378 proc-log@4.1.0
• 87f6c09 #7373 @npmcli/metavuln-calculator@7.0.1
• b8f8b41 #7373 @npmcli/run-script@8.0.0
• 79f79c7 #7373 proc-log@4.0.0
• 9027266 #7373 pacote@18.0.0
• ee4b3e0 #7373 npm-registry-fetch@16.2.1
• ac98fd3 #7373 npm-package-arg@11.0.2
• 9351570 #7373 @npmcli/package-json@5.0.3

Chores

• dd39de7 #7411 disable selflink test on apple silicon (#7411) (@lukekarrys)

7.4.2 (2024-04-10)

Bug Fixes

• ef381b1 #7363 use @npmcli/redact for url cleaning (#7363) (@lukekarrys)

7.4.1 (2024-04-03)

Bug Fixes

• 8cab136 #7324 ensure maxSockets is respected (#7324) (@lukekarrys)
• 9bffa13 #7320 query: properly return :missing nodes (#7320) (@wraithgar)

Dependencies

• 87a61fc #7334 npm-registry-fetch@16.2.0
• 6fd94f2 #7329 minimatch@9.0.4
• 8cab136 #7324 agent-base@7.1.1 (@lukekarrys)

Chores

• 8cab136 #7324 add smoke-test for large prod installs (@lukekarrys)

7.4.0 (2024-02-28)

Features

• 2366edc #7218 query: add :vuln pseudo selector (@wraithgar)

Bug Fixes

• 6d1789c #7237 Arborist code cleanup (#7237) (@wraithgar)
• ed17276 #7218 query-selector: don't look up private packages on :outdated (@wraithgar)

Dependencies

• 16d4c9f #7218 @npmcli/query@3.1.0

7.3.1 (2024-01-24)

Bug Fixes

• d3f1845 #7124 clean up idealTree code (@wraithgar)
• 8382fb3 #7126 fetch full packument so that libc can be assessed (@styfle, @ljharb)

Dependencies

• ec77e81 #7124 promise-call-limit@3.0.1

7.3.0 (2024-01-10)

Features

• 6673c77 #6914 add --libc option to override platform specific install (#6914) (@wraithgar, @Brooooooklyn)

7.2.2 (2023-12-06)

Bug Fixes

• ae2d982 #7027 arborist: node.target can be null when it is a file dep or symlink (#7027) (@ljharb, @lukekarrys)
• f875caa #6998 clean up shrinkwrap code (#6998) (@wraithgar)

Chores

• f656b66 #7062 @npmcli/template-oss@4.21.3 (#7062) (@lukekarrys)
• 9754b17 #7051 use global npm for workspace tests (@lukekarrys)
• 3891757 #7051 @npmcli/template-oss@4.21.2 (@lukekarrys)

7.2.1 (2023-10-31)

Dependencies

• dfb6298 #6937 node-gyp@10.0.0 (#6937)

7.2.0 (2023-10-02)

Features

• 81a460f #6732 add package-lock-only mode to npm query (@wraithgar)
• 0d29855 #6732 add no-package-lock mode to npm audit (@wraithgar)

Bug Fixes

• 0860159 #6829 ensure workspace links query parents correctly (#6829) (@Carl-Foster)
• bef7481 #6782 query with workspace descendents (#6782) (@bdehamer)

Dependencies

• aa6728b #6859 tar@6.2.0
• ce9089f #6859 npm-package-arg@11.0.1
• 0a47af5 #6859 hosted-git-info@7.0.1
• 3ebc474 #6859 @npmcli/query@3.0.1

7.1.0 (2023-09-08)

Features

• 1c93c44 #6755 Add --cpu and --os option to override platform specific install (#6755) (@yukukotani)

7.0.0 (2023-08-31)

Features

• fb31c7e trigger release process (@lukekarrys)

7.0.0-pre.0 (2023-08-31)

⚠️ BREAKING CHANGES

• support for node <=16.13 has been removed
• support for node 14 has been removed

Bug Fixes

• 6b251b1 #6706 drop node 16.13.x support (@lukekarrys)
• e3a377d #6706 drop node14 support (@lukekarrys)

Dependencies

• eb41977 #6706 @npmcli/run-script@7.0.1
• f334466 #6706 pacote@17.0.4
• bb63bf9 #6706 @npmcli/run-script@7.0.0
• 43831d0 #6706 pacote@17.0.3
• 44e8fec #6706 pacote@17.0.2
• 2ee0fb3 #6706 npm-registry-fetch@16.0.0
• 81ff4df #6706 pacote@17.0.1
• c3a1a02 #6706 @npmcli/metavuln-calculator@7.0.0
• cac0725 #6706 pacote@17.0.0
• fd8beaf #6706 npm-pick-manifest@9.0.0
• c784b57 #6706 npm-package-arg@11.0.0
• 729e893 #6706 hosted-git-info@7.0.0
• 7af81c7 #6706 cacache@18.0.0
• b0849ab #6706 @npmcli/package-json@5.0.0
• 61e9b00 #6706 @npmcli/metavuln-calculator@6.0.1
• 4c9eb17 #6706 npm-install-checks@6.2.0
• 88ece81 #6706 npm-pick-manifest@8.0.2
• 9117a4f #6706 ssri@10.0.5
• 5eea975 #6706 cacache@17.1.4
• ca33c98 #6706 @npmcli/metavuln-calculator@6.0.0
• edbc25a #6706 pacote@16.0.0
• 5d0d859 #6706 npm-registry-fetch@15.0.0

6.3.0 (2023-07-05)

Features

• 67459e7 #6626 add pkg fix subcommand (@wraithgar)

Bug Fixes

• c61e037 #6626 use new load/create syntax for package-json (@wraithgar)

Dependencies

• b252164 #6626 @npmcli/package-json@4.0.0

6.2.10 (2023-06-21)

Bug Fixes

• f5b9713 #6549 make omit flags work properly with workspaces (#6549) (@Rayyan98, @lukekarrys)
• 40d7e09 #6555 remove unnecessary package.json values (#6555) (@lukekarrys)

6.2.9 (2023-05-03)

Bug Fixes

• a558bbd #6393 code cleanup (#6393) (@wraithgar)

Dependencies

• e498f82 #6416 minimatch@9.0.0

6.2.8 (2023-04-19)

Bug Fixes

• 82879f6 #6225 lazy loading of arborist and pacote (#6225) (@wraithgar)

Dependencies

• 3fa9542 #6363 semver@7.5.0
• 357cc29 #6363 walk-up-path@3.0.1

6.2.7 (2023-04-05)

Dependencies

• f1388b4 #6317 npm update
• deca335 #6317 promise-call-limit@1.0.2

6.2.6 (2023-03-30)

Dependencies

• ea12627 #6275 minimatch@7.4.2

6.2.5 (2023-03-08)

Bug Fixes

• 8a78c6f #6222 only add directories we made to _sparseTreeRoots (#6222) (@nlf)

6.2.4 (2023-03-02)

Bug Fixes

• 962a12e #6193 arborist: dependencies from registries with a peerDependency on a workspace (#6193) (@ixalon)

Dependencies

• 71ae406 #6218 @npmcli/installed-package-contents@2.0.2

6.2.3 (2023-02-22)

Bug Fixes

• 6ed3535 #6175 linked-strategy lifecycle missing bins (#6175) (@fritzy)

Documentation

• 9bc455b #6188 fixing typos (#6188) (@deining)

6.2.2 (2023-02-07)

Bug Fixes

• 12ec7ee remove unused package.json scripts (@lukekarrys)

Dependencies

• d43f881 map-workspaces@3.0.2
• 99457f1 minimatch@6.1.6

6.2.1 (2023-02-01)

Bug Fixes

• 72a7a59 #6095 only save package-lock when truly finished (@wraithgar)

Dependencies

• 721fe3f #6118 read-package-json-fast@3.0.2
• 6e4a649 pacote@15.0.8
• 1820afe cacache@17.0.4
• 4b8046e @npmcli/name-from-folder@2.0.0
• 1d4be7a @npmcli/map-workspaces@3.0.1
• a39556f @npmcli/template-oss@4.11.3

6.2.0 (2023-01-25)

Features

• 8d6d851 #6078 added --install-strategy=linked (#6078) (@fritzy)

6.1.6 (2023-01-12)

Bug Fixes

• b584af0 #6022 remove unneeded param default (@wraithgar)
• 2ba1171 streamline workspace loading code (@wraithgar)
• 2383deb #6037 clean urls from arborist, owner, and ping commands (#6037) (@lukekarrys)
• c52cf6b #5960 properly handle directory, file, git and alias specs in overrides (@nlf)

6.1.5 (2022-12-07)

Bug Fixes

• 83fb125 #5923 audit package mismatch in special case (@fritzy)

Dependencies

• 372d158 #5935 minimatch@5.1.1 (#5935)
• 0a3fe00 #5933 minipass@4.0.0
• cf0a174 ssri@10.0.1
• 3da9a1a pacote@15.0.7
• fee9b66 npm-registry-fetch@14.0.3
• e940917 cacache@17.0.3
• 875bd56 npm-package-arg@10.1.0

6.1.4 (2022-11-30)

Bug Fixes

• 80c6c4a #5907 do not reset hidden lockfile data before saving (#5907) (@nlf)

6.1.3 (2022-11-16)

Bug Fixes

• 3f13818 #5859 refactor / inline single use code (#5859) (@wraithgar)

6.1.2 (2022-11-09)

Dependencies

• 335c7e4 #5813 cacache@17.0.2
• 878ddfb @npmcli/fs@3.1.0

6.1.1 (2022-11-02)

Bug Fixes

• 1f5382d #5789 don't set stdioString for any spawn/run-script calls (@lukekarrys)
• 0c5834e #5758 use hosted-git-info to parse registry urls (#5758) (@lukekarrys)

Dependencies

• b89c19e #5795 cli-table3@0.6.3
• 66f9bcd nopt@7.0.0
• abfb28b @npmcli/run-script@6.0.0

6.1.0 (2022-10-26)

Features

• 3dd8d68 #5751 sort and quote yarn lock keys according to yarn rules (#5751) (@wraithgar, @shalvah)

Dependencies

• de6618e #5757 @npmcli/promise-spawn@5.0.0 (#5757)

6.0.0 (2022-10-19)

Features

• 586e78d empty commit to trigger all workspace releases (@lukekarrys)

6.0.0-pre.5 (2022-10-19)

⚠️ BREAKING CHANGES

• deprecate boolean install flags in favor of --install-strategy
  • deprecate --global-style, --global now sets --install-strategy=shallow
  • deprecate --legacy-bundling, now sets --install-strategy=nested
• this package no longer attempts to change file ownership automatically

Features

• de2d33f add --install-strategy=hoisted|nested|shallow, deprecate --global-style, --legacy-bundling (#5709) (@fritzy)
• 475e9b6 #5703 do not alter file ownership (@nlf)

Bug Fixes

• 1afe5ba account for new npm-package-arg behavior (@wraithgar)

Dependencies

• 88137a3 npmlog@7.0.1
• 2008ea6 npm-package-arg@10.0.0, pacote@15.0.2
• aa01072 #5707 update the following dependencies

6.0.0-pre.4 (2022-10-05)

Features

• 9609e9e #5605 use v3 lockfiles by default (#5605) (@fritzy)

Dependencies

• 5344d2c #5644 pacote@14.0.0
• 6a43b31 @npmcli/metavuln-calculator@4.0.0

6.0.0-pre.3 (2022-09-30)

⚠️ BREAKING CHANGES

• npm pack now follows a strict order of operations when applying ignore rules. If a files array is present in the package.json, then rules in .gitignore and .npmignore files from the root will be ignored.

Features

• 3ae796d implement new npm-packlist behavior (@lukekarrys)

6.0.0-pre.2 (2022-09-23)

Features

• ebf167b add :outdated pseudo selector (@nlf)

Documentation

• 8402fd8 #5547 add :outdated pseudo selector to docs (@nlf)

Dependencies

• d030f10 @npmcli/query@2.0.0

6.0.0-pre.1 (2022-09-14)

Bug Fixes

• f3b0c43 keep saveTypes separate for each add (@wraithgar)

6.0.0-pre.0 (2022-09-08)

⚠ BREAKING CHANGES

• workspaces: all workspace packages are now compatible with the following semver range for node: ^14.17.0 || ^16.13.0 || >=18.0.0

Features

• e95017a #5485 feat(workspaces): update supported node engines in package.json (@lukekarrys)
• 09c46e8 #5324 feat(arborist): allow for selectors and function names with :semver pseudo selector (@nlf)

Bug Fixes

• fe926ed #5484 fix: don't mark workspaces as invalid if installing links (@wraithgar)
• 548e70e #5376 fix: link.target setter (@wraithgar)
• 2db6c08 #5376 fix: loadActual cleanup (@wraithgar)

Documentation

• 285b39f #5324 docs: add documentation for expanded :semver selector (@nlf)

5.6.1 (2022-08-31)

Bug Fixes

• 1e84102 #5350 fix: create links relative to the target (@wraithgar)
• ea5e3a3 #5350 fix: inline single-use functions (@wraithgar)
• 645c680 #5329 fix: update index.js spelling error in comment (@KevinBrother)
• bd2ae5d #5323 fix: linting (@wraithgar)

Dependencies

• 1286f03 #5381 deps: unique-filename@2.0.1
• 2c4e387 #5381 deps: hosted-git-info@5.1.0
• b12ac01 #5381 deps: npm-pick-manifest@7.0.2
• 7fbf6f7 #5381 deps: bin-links@3.0.3
• 26d2e55 #5381 deps: @npmcli/query@1.2.0
• a79ee00 #5381 deps: cacache@16.1.3
• 8ab12dc #5323 deps: @npmcli/eslint-config@3.1.0

5.6.0 (2022-08-17)

Features

• arborist: add :overridden pseudo selector (d221f72)
• arborist: add overridden getter to Node class (e6d4304)
• query: support :overridden pseudo selector (0d4ed0f)

5.5.0 (2022-08-10)

Features

• arborist: add option to forcibly skip loading a virtual tree (96b6781)

Bug Fixes

• query: tell arborist to load an actual tree, not a virtual one (9078e27)

Dependencies

• nopt@6.0.0 (7f31b85)

5.4.0 (2022-08-03)

Features

• add --replace-registry-host=<npmjs|always|never> (#4860) (703dbbf)
• add --replace-registry-host=<npmjs|always|never>| (703dbbf)
• add npm query cmd (#5000) (3c024ac)

Bug Fixes

• arborist: fix bare attribute queries (#5248) (8233fca)
• arborist: pass the edge to fromPath in order to determine correct path (#5233) (050284d)
• arborist: use the sourceReference root rather than the node root for overrides (#5227) (47cc95d), closes #4395

Dependencies

• @npmcli/query@1.1.1 (#5247) (d55007d)

5.3.1 (2022-07-27)

Bug Fixes

• allow hash character in paths (#5122) (62b95a0)

5.3.0 (2022-07-11)

Features

• arborist: add support for dependencies script (#5094) (e9b4214)

5.2.3 (2022-06-23)

Dependencies

• @npmcli/run-script@4.1.3 (#5064) (f59a114)

5.2.2 (2022-06-22)

Bug Fixes

• Add space to SemVer log message (#5042) (e03009f)

Dependencies

• @npmcli/run-script@4.1.0 (2c06cee)
• pacote@13.6.1 (2e50cb8)

5.2.1 (2022-06-01)

Bug Fixes

• arborist: use rawSpec for bundled and shrinkwrapped deps (#4963) (646b6b5)

5.2.0 (2022-05-10)

Features

• add flag --omit-lockfile-registry-resolved (#4874) (bfb8bcc)

Bug Fixes

• arborist: link deps lifecycle scripts (#4875) (5a50762)

5.1.1 (2022-04-26)

Dependencies

• @npmcli/map-workspaces@2.0.3 (3f2b24a)
• cacache@16.0.6 (532883f)
• npmlog@6.0.2 (5e31322)
• semver@7.3.7 (c51e553)

5.1.0 (2022-04-19)

Features

• arborist: add support for installLinks (0ebadf5)

Bug Fixes

• arborist: when replacing a Link with a Node, make sure to remove the Link target from the root (3d96494)

5.0.6 (2022-04-13)

Bug Fixes

• arborist: don't skip adding advisories to audit based on name/range (aa4a4da), closes #4681
• arborist: when reloading an edge, also refresh overrides (4d676e3)

5.0.5 (2022-04-06)

Bug Fixes

• replace deprecated String.prototype.substr() (#4667) (e3da5df)
• update readme badges (#4658) (2829cb2)

Dependencies

• @npmcli/arborist@5.0.4 (679e569)
• @npmcli/move-file@2.0.0 (e9b25cd)
• @npmcli/node-gyp@2.0.0 (0e87cac)
• @npmcli/package-json@2.0.0 (4a9a705)
• npm-install-checks@5.0.0 (ad99360)
• ssri@9.0.0 (a2781a3)
• treeverse@2.0.0 (1a90b9e)

5.0.4 (2022-03-31)

Bug Fixes

• arborist: handle link nodes in old lockfiles correctly (6f9cb49)
• arborist: identify and repair invalid nodes in the virtual tree (bd96ae4)
• arborist: make sure resolveParent exists before checking props (18b8b94)
• make sure we loadOverrides on the root node in loadVirtual() (99d8845)
• only call npmlog progress methods if explicitly requested (#4644) (668ec7f), closes #3314

5.0.3 (2022-03-17)

Bug Fixes

• arborist: _findMissingEdges missing dependency due to inconsistent path separators (#4261) (0e7511d)
• arborist: save workspace version (#4578) (e9a2981)

Dependencies

• @npmcli/metavuln-calculator@3.0.1 (fcc6acf)
• cacache@16.0.0 (e26548f)
• pacote@13.0.5 (340fa51)

5.0.2 (2022-03-10)

Bug Fixes

• rebuild: don't run lifecycle scripts twice on linked deps (#4529) (fbdb431)

Documentation

• standardize changelog heading (#4510) (91f03ee)

5.0.1 (2022-03-08)

Bug Fixes

• set proper workspace repo urls in package.json (#4476) (0cfc155)

2.0.0

• BREAKING CHANGE: root node is now included in inventory
• All parent/target/fsParent/etc. references set in root setter, rather than the hodgepodge of setters that existed before.
• treeCheck function added, to enforce strict correctness guarantees when ARBORIST_DEBUG=1 in the environment (on by default in Arborist tests).

1.0.0

• Release for npm v7 beta
• Fully functional

0.0.0

• Proof of concept
• Before this, it was read-package-tree