chore(deps): update npm to v11.9.0 [security]#372
Open
renovate[bot] wants to merge 1 commit intomainfrom
Open
Conversation
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
11.4.2→11.9.0npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
CVE-2026-0775 / GHSA-3966-f6p6-2qr9
More information
Details
npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user.
Severity
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
npm/cli (npm)
v11.9.0Compare Source
Features
f5f6cf7#8943 config: add --allow-git (@wraithgar)Bug Fixes
2242f25#8952 webauth: improve error messages around webauth in non-TTY (#8952) (@Andarist)Dependencies
332c9f3#8960glob@13.0.1eca02c7#8960minimatch@10.1.2@isaacs/brace-expansion@5.0.1b3f8475#8951minipass-fetch@5.0.1924171b#8951is-cidr@6.0.24404002#8951ci-info@4.4.0b65af73#8951lru-cache@11.2.5164c355#8951tar@7.5.7a74a19c#8951node-gyp@12.2.0e0bc212#8943pacote@21.1.0Chores
4a82a8f#8951 dev dependency updates (@wraithgar)@npmcli/arborist@9.2.0@npmcli/config@10.6.0libnpmdiff@8.1.0libnpmexec@10.2.0libnpmfund@7.0.14libnpmpack@9.1.0v11.8.0Compare Source
Features
545e861#8828 show proxy environment variables in npm config list (Max Black)Bug Fixes
c2f784d#8859 preserve serialNumber UUID in CycloneDX SBOM output #8837 (#8859) (@saksham-malhotra-27)f2c3af7#8840 more intuitive byte formatting boundaries for rounding (#8840) (@watilde)Documentation
3474ec3#8866 fix typo/logic error in npm-dedupe docs (#8866) (@Schweinepriester)5552e46#8797 npm-install: explain package-lock.json behavior (#8797) (@MaxBlack-dev, Max Black)Dependencies
f478ca0#8919postcss-selector-parser@7.1.12b6a71f#8919path-scurry@2.0.119096f2#8919sigstore@4.1.0e7f5d1e#8919lru-cache@11.2.49e756ae#8919ip-address@10.1.0f951820#8919common-ancestor-path@2.0.07a949ad#8919@sigstore/verify@3.1.06979ce1#8919@sigstore/sign@4.1.0b4a6a41#8919@sigstore/core@3.1.0dc8a8e8#8919@sigstore/tuf@4.0.1be221ea#8919validate-npm-package-name@7.0.2149823d#8919diff@8.0.332b2001#8919tar@7.5.4Chores
8f599df#8919 pin jsdom to 27.0.0 (@wraithgar)f4f1161#8919 dev dependency updates (@wraithgar)@npmcli/arborist@9.1.10@npmcli/config@10.5.0libnpmdiff@8.0.13libnpmexec@10.1.12libnpmfund@7.0.13libnpmpack@9.0.13v11.7.0Compare Source
Features
b380d15#8697 add deduping to notices unless in verbose+ mode (@owlstronaut)Bug Fixes
4ebb831#8839 updates hints to use cli paradigm (@owlstronaut)7896e51#8838 update the token list text (@owlstronaut)8ab8668#8836 query: support package-lock-only in workspaces (@watilde)35e8d38#8322 properly handle newlines with input when using the spinner (#8322) (@mbtools)0c0faae#8780 adduser: improve email prompt (#8780) (@mbtools)Documentation
7f2ab9d#8810 scripts: replace deprecated prepublish and install examples with prepare (Max Black)91ebab7#8847 remove note about token create being disabled (@owlstronaut)2030250#8822 scripts: clarify prepare script runs with --production (Max Black)33a50d7#8821 scripts: update npm_package_* environment variables documentation (Max Black)50508f9#8793 package-json: add documentation for type field (#8793) (@MaxBlack-dev, Max Black)aa1dd7e#8823 scripts: document that prepare scripts run concurrently in workspaces (Max Black)3f48487#8820 package-spec: fix alias syntax in examples (Max Black)dd104da#8812 version: add note about git version requirements (Max Black)58afdcc#8792 install: clarify prerelease version range behavior (Max Black)9f818e8#8795 npm-view: clarify object property access syntax and provide examples (Max Black)39c2f2e#8791 add examples for command line flags including --prefix (Max Black)1298530#8790 clarify version field can be omitted in package-lock (Max Black)090b6ca#8794 npx: clarify that arguments are passed to executed command (Max Black)a864f80#8787 document gypfile field in package.json (Max Black)2fc689d#8788 add field access patterns to npm view (Max Black)4850639#8796 package-json: add examples for replacing dependencies with forks in overrides (Max Black)4864dd4#8798 npm-install: document engines field priority when installing packages (Max Black)95d25cd#8799 package-json: clarify repository field normalization during publish (Max Black)a367f9b#8800 package-lock-json: clarify that version field may be omitted for certain dependencies (Max Black)ffc9b71#8801 npm-install: clarify --tag does not override package.json (#8801) (@MaxBlack-dev, Max Black)73688ca#8735 clarify npm version behavior with prerelease versions (#8735) (@yashwantbezawada)4a32606#8785 updates the token create documentation (#8785) (@owlstronaut, @wraithgar)Chores
54929ce#8836 update baseline-browser-mapping (@watilde)Dependencies
@npmcli/arborist@9.1.9@npmcli/config@10.4.5libnpmdiff@8.0.12libnpmexec@10.1.11libnpmfund@7.0.12libnpmpack@9.0.12v11.6.4Compare Source
Documentation
dfb83c7#8749 add example for keywords field (#8749) (@MaxBlack-dev, Max Black)1b1e227#8750 remove outdated roadmap link (#8750) (@MaxBlack-dev, Max Black)1333d57#8752 clarify .npmrc naming convention for environment variable overrides (#8752) (@MaxBlack-dev)22cddb8#8755 add workspace dependencies example to workspaces (Max Black)17e154c#8756 standardize env vars to uppercase convention (Max Black)1e51a25#8754 fix lifecycle event order for prepare script (Max Black)8d72bc9#8753 add os, cpu, and funding fields to package-lock.json (Max Black)Dependencies
f56bb13#8779proc-log@6.1.0(#8779)f963223#8770proggy@4.0.0f51e4aa#8770nopt@9.0.02d15040#8770@npmcli/query@5.0.09d77b84#8770@npmcli/installed-package-contents@4.0.0e2ac092#8770read@5.0.16e5bfd9#8770init-package-json@8.2.47f8e237#8770p-map@7.0.4a4aa218#8770npm-user-validate@4.0.06430446#8770npm-audit-report@7.0.058650dc#8770@npmcli/fs@5.0.04a11146#8770glob@13.0.000511d4#8770@npmcli/cacache@20.0.3224afa2#8770@npmcli/map-workspaces@5.0.3664ac34#8770@npmcli/package-json@7.0.4@npmcli/arborist@9.1.8@npmcli/config@10.4.4libnpmdiff@8.0.11libnpmexec@10.1.10libnpmfund@7.0.11libnpmpack@9.0.11v11.6.3Compare Source
Bug Fixes
c6242d9#8706 change npm profile to create tokens with GAT support (#8706) (@owlstronaut, @wraithgar)cbc6fa9#8731 order of version information in error message (#8731) (@piotrd, @pd-be)11dbd7e#8709 display full token when creating authentication tokens (#8709) (@MaxBlack-dev, Max Black)49a4eef#8676 use look behind regex for trailing slash stripping (#8676) (@wraithgar)b1aee62#8645 dep flag calculation (#8645) (@liamcmitchell)Documentation
ca53c21#8745 add workspace usage examples (#8745) (@MaxBlack-dev, Max Black)e71ca0e#8746 add --save flag to documentation (#8746) (@MaxBlack-dev, Max Black)06510a8#8683 add ignore-scripts option to npm version help and docs (#8683) (@Tejas242)Dependencies
7f72238#8723cacache@20.0.27ac9db8#8723init-package-json@8.2.341e97c6#8723validate-npm-package-name@7.0.06b1fbe1#8723npm-package-arg@13.0.2aa1d486#8723@npmcli/promise-spawn@9.0.1599c819#8723which@6.0.0e49286e#8723ini@5.0.0b7c9f96#8723@npmcli/promise-spawn@9.0.08cc9f70#8723ssri@13.0.00b7274f#8723pacote@21.0.459b3c6a#8723@npmcli/redact@4.0.0578abad#8723node-gyp@12.1.089c4151#8723@npmcli/git@7.0.1c6d109d#8723make-fetch-happen@15.0.334d8599#8723npm-registry-fetch@19.1.14811a86#8723@npmcli/run-script@10.0.36cb77df#8723@npmcli/installed-package-contents@4.0.005ac7a7#8723proc-log@6.0.00a74f6d#8723bin-links@6.0.0c02ce5c#8723@npmcli/package-json@7.0.29c0cefa#8723json-parse-even-better-errors@5.0.0041b9b2#8723parse-conflict-json@5.0.1a1b0fea#8723@npmcli/name-from-folder@4.0.0a085745#8723abbrev@4.0.000d9c7d#8723nopt@9.0.03404dca#8723npm-install-checks@8.0.0542fcf3#8723@npmcli/node-gyp@5.0.089e14d3#8723tar@7.5.25383f3a#8723npm-registry-fetch@19.1.01bb9a7d#8723npm-profile@12.0.1de619a4#8723npm-pick-manifest@11.0.30e042ec#8723npm-packlist@10.0.32a3c338#8723node-gyp@11.5.0b96e86c#8723minimatch@10.1.1d347329#8723exponential-backoff@3.1.3d6830f4#8723@npmcli/run-script@10.0.2bcc7ec8#8723@npmcli/metavuln-calculator@9.0.37a419df#8723@npmcli/map-workspaces@5.0.1Chores
32bdd83#8723 fix package-lock (@wraithgar)4bff14b#8670 write tarball to testDir (#8670) (@wraithgar)679486b#8672 fix lockfile (#8672) (@wraithgar)@npmcli/arborist@9.1.7@npmcli/config@10.4.3libnpmdiff@8.0.10libnpmexec@10.1.9libnpmfund@7.0.10libnpmpack@9.0.10libnpmpublish@11.1.3libnpmversion@8.0.3v11.6.2Compare Source
Bug Fixes
c54d1e9#8633 progress bar code cleanup (#8633) (@wraithgar)d352e27#8629 do not redact notice logs going to stdout (#8629) (@wraithgar)5ac3678#8617 spelling in ./lib and ./test/lib (#8617) (@jsoref)9197995#8619 spelling (#8619) (@jsoref)dd884e3#8618 spelling (#8618) (@jsoref)f6028e6#8614 skip redacting urls meant for opening by the user (#8614) (@wraithgar, @jolyndenning)54fd27f#8602 refactor node.ideallyInert to node.inert (#8602) (@liamcmitchell)79e3c1e#8593 use @npmcli/package-json to normalize package data (@wraithgar)Documentation
0469c5e#8639 rewrap markdown (#8639) (@jsoref)9ceb9c1#8636 rewrap markdown (#8636) (@jsoref)6324370#8616 fix spelling (#8616) (@jsoref)1b0429a#8607 Fix spelling (#8607) (@jsoref)7fbe07a#8603 clean up deprecatednpm accesscommands (#8603) (@jsoref)Dependencies
fa7cc6f#8662ci-info@4.3.1(#8662)b05461b#8663@sigstore/sign@4.0.1(#8663)c31de22#8661 downgrade ci-info to 4.3.0 (#8661) (@wraithgar)c5191b5#8659ci-info@4.3.1f255c92#8659hosted-git-info@9.0.2bdaf323#8659is-cidr@6.0.1a33f106#8659lru-cache@11.2.28044e07#8659npm-package-arg@13.0.1f577504#8659npm-packlist@10.0.29aa4fa6#8659semver@7.7.3fe9484a#8593 remove normalize-package-dataChores
b3409f4#8659 dev dependency updates (@wraithgar)e8de81b#8643 Add automatically generated annotation to dependencies.md (#8643) (@jsoref)67cfaf3#8627 fix spelling: different (#8627) (@jsoref)17ddc0d#8622 fix spelling (#8622) (@jsoref)c3e1790#8605 Remove reference to nonexistent calendar (#8605) (@jsoref)ac9143e#8604 Improve link accessibility for screen reader users (#8604) (@jsoref)62d73e7#8601 remove references to benchmarks workflow (#8601) (@jsoref)bb4b739#8598 remove stale comment (#8598) (@jsoref)f73e65d#8592 fix build url code for remark-github@12 (#8592) (@wraithgar)@npmcli/arborist@9.1.6@npmcli/config@10.4.2libnpmaccess@10.0.3libnpmdiff@8.0.9libnpmexec@10.1.8libnpmfund@7.0.9libnpmpack@9.0.9libnpmpublish@11.1.2v11.6.1Compare Source
Bug Fixes
d389614#8579 corrects peer dependency flag propagation (@owlstronaut)5db81c3#8512 allow concurrent non-local npx calls (#8512) (@jenseng, @wraithgar)Documentation
7a09902#8582 bring back certfile (#8582) (@jenseng)Dependencies
849dcb6#8589tar@7.5.1(#8589)ea15731#8576binary-extensions@3.1.00f41bac#8576tiny-relative-date@2.0.207bf540#8576is-cidr@6.0.0ef87ec6#8576diff@8.0.248285e0#8576 add fdir, isexe, and picomatch to node_modules099238a#8576fdir@6.5.06e4d673#8576isexe@3.1.109a7494#8576supports-color@10.2.2c5157c9#8576chalk@5.6.246035db#8576debug@4.4.35f6664b#8576spdx-license-ids@3.0.225516583#8576socks@2.8.76a392f3#8576tinyglobby@0.2.159519f18#8576npm-install-checks@7.1.234bafd1#8576node-gyp@11.4.2dfd034e#8576@npmcli/promise-spawn@8.0.3d4eef14#8576rimraf@6.0.1566f1b7#8576minimatch@10.0.3ac33497#8576mkdirp@3.0.11676626#8576glob@11.0.3817f0b1#8576ignore-walk@8.0.079a4e67#8576minizlib@3.0.238fa2c2#8576negotiator@1.0.024252a1#8576@npmcli/agent@4.0.0ea7ca5f#8576lru-cache@11.2.1521823b#8576@npmcli/git@7.0.0bf6b686#8576npm-package-arg@13.0.09392488#8576npm-package-manifest@11.0.10082083#8576normalize-package-data@8.0.0633c4ed#8576hosted-git-info@9.0.066f64eb#8576make-fetch-happen@15.0.21f85f94#8576@sigstore/tuf@4.0.0a2bdecc#8576sigstore@4.0.01149971#8576npm-registry-fetch@19.0.0b5bd5e3#8576npm-profile@12.0.06221e27#8576@npmcli/metavuln-calculator@9.0.2da81a37#8576cacache@20.0.16b4c5f9#8576@npmcli/run-script@10.0.0cb36a8a#8576init-package-json@8.2.2b6bb9ae#8576pacote@21.0.31b4433f#8576@npmcli/map-workspaces@5.0.0ceae674#8576@npmcli/package-json@7.0.14f37534#8576 remove read-package-json-fastChores
7eb5c09#8576 update package-lock with peer flag fixes (@wraithgar)0d00fd8#8576jsdom@27.0.0(@wraithgar)420a569[#8576](https://redirect.github.com/npm/cli/pullConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.