Skip to content

chore: release 11.8.0 #8853

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
github-actions wants to merge 1 commit into
base: latest
Choose a base branch
from
Open

chore: release 11.8.0 #8853

github-actions wants to merge 1 commit into from
+101 −42

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Dec 11, 2025
edited
Loading

🤖 I have created a release beep boop

11.8.0

11.8.0 (2026-01-21)

Features

  • 545e861 #8828 show proxy environment variables in npm config list (Max Black)

Bug Fixes

Documentation

Dependencies

Chores

arborist: 9.1.10

9.1.10 (2026-01-21)

Dependencies

config: 10.5.0

10.5.0 (2026-01-21)

Features

  • 5a444d5 #8828 export environment config variable names (Max Black)
libnpmdiff: 8.0.13

Dependencies

libnpmexec: 10.1.12

Dependencies

libnpmfund: 7.0.13

Dependencies

libnpmpack: 9.0.13

Dependencies

This PR was generated with Release Please. See documentation.

@github-actions github-actions bot requested a review from a team as a code owner December 11, 2025 21:52
@github-actions
Copy link
Contributor Author

github-actions bot commented Dec 11, 2025
edited
Loading

Release Manager

Release workflow run: https://github.com/npm/cli/actions/runs/21217988436

Release Checklist for v11.8.0

  • 1. Checkout the release branch

    Ensure git status is not dirty on this branch after resetting deps. If it is, then something is probably wrong with the automated release process.

    gh pr checkout 8853 --force
    npm run resetdeps
    node scripts/git-dirty.js

  • 2. Check CI status

    gh pr checks --watch

  • 3. Publish the CLI and workspaces

    Warning:
    This will publish all updated workspaces to latest, prerelease or backport depending on their version, and will publish the CLI with the dist-tag set to next-11.

    Note:
    The --test argument can optionally be omitted to run the publish process without running any tests locally.

    node scripts/publish.js --test

  • 4. Optionally install and test [email protected] locally

    npm i -g [email protected]
    npm --version
npm whoami
npm help install
# etc

  • 5. Set latest dist-tag to newly published version

    Warning:
    NOT FOR PRERELEASE: Do not run this step for prereleases or if 11 is not being set to latest.

    node . dist-tag add [email protected] latest

  • 6. Trigger docs.npmjs.com update

    gh workflow run update-cli.yml --repo npm/documentation

  • 7. Approve and Merge release PR

    gh pr review --approve
    gh pr merge --rebase
    git checkout latest
    git fetch
    git reset --hard origin/latest
    node . run resetdeps

  • 8. Wait For Release Tags

    Warning:
    The remaining steps all require the GitHub tags and releases to be created first. These are done once this PR has been labelled with autorelease: tagged.

    Release Please will run on the just merged release commit and create GitHub releases and tags for each package. The release bot will will comment on this PR when the releases and tags are created.

    Note:
    The release workflow also includes the Node integration tests which do not need to finish before continuing.

    You can watch the release workflow in your terminal with the following command:

    gh run watch `gh run list -R npm/cli -w release -b latest -L 1 --json databaseId -q ".[0].databaseId"`

  • 9. Mark GitHub Release as latest

    Warning:
    You must wait for CI to create the release tags before running this step. These are done once this PR has been labelled with autorelease: tagged.

    Release Please will make GitHub Releases for the CLI and all workspaces, but GitHub has UI affordances for which release should appear as the "latest", which should always be the CLI. To mark the CLI release as latest run this command:

    gh release -R npm/cli edit v11.8.0 --latest

  • 10. Open nodejs/node PR to update npm to latest

    Warning:
    You must wait for CI to create the release tags before running this step. These are done once this PR has been labelled with autorelease: tagged.

    Trigger the Create Node PR action. This will open a PR on nodejs/node to the main branch.

    Note:
    The resulting PR may need to be labelled if it is not intended to land on old Node versions.

    First, sync our fork of node with the upstream source:

    gh repo sync npm/node --source nodejs/node --force

    Then, if we are opening a PR against the latest version of node:

    gh workflow run create-node-pr.yml -f spec=next-11

    If the PR should be opened on a different branch (such as when doing backports) then run it with -f branch=<BRANCH_NAME>. There is also a shortcut to target a specific Node version by specifying a major version number with -f branch=18 (or similar).

    For example, this will create a PR on nodejs/node to the v16.x-staging branch:

    gh workflow run create-node-pr.yml -f spec=next-11 -f branch=16

  • 11. Label and fast-track nodejs/node PR

    Note:
    This requires being a nodejs collaborator. This could be you!

    • Thumbs-up reaction on the Fast-track comment
    • Add an LGTM / Approval
    • Add request-ci label to get it running CI
    • Add commit-queue label once everything is green

@github-actions github-actions bot force-pushed the release-please--branches--latest branch from 6392e59 to 75e0476 Compare December 11, 2025 21:53
@ro0NL
Copy link

ro0NL commented Dec 12, 2025
edited
Loading

Will this fix the BC break as reported in #8726?

@github-actions github-actions bot changed the title chore: release 11.7.1 chore: release 11.8.0 Dec 16, 2025
@github-actions github-actions bot force-pushed the release-please--branches--latest branch 8 times, most recently from 0361e85 to 3eae5ff Compare December 19, 2025 17:43
@ljharb ljharb mentioned this pull request Jan 16, 2026
Closed
@MarkWilsonInform
Copy link

MarkWilsonInform commented Jan 19, 2026

Would really be appreciated if this release is out asap. Since Saturday version 11.7.0 is being blocked by Xray (CVE-2026-23745).

@prajwalmr62
Copy link

prajwalmr62 commented Jan 19, 2026

Would really be appreciated if this release is out asap. Since Saturday version 11.7.0 is being blocked by Xray (CVE-2026-23745).

But does it fix the mentioned vulnerability? I do not see version update in package-lock files.

@MarkWilsonInform
Copy link

MarkWilsonInform commented Jan 19, 2026

Would really be appreciated if this release is out asap. Since Saturday version 11.7.0 is being blocked by Xray (CVE-2026-23745).

But does it fix the mentioned vulnerability? I do not see version update in package-lock files.

Just checked - you´re right. 11.8.0 still uses tar version 7.5.2 - needs to be ^7.5.3

@Andrea-Filice
Copy link

Andrea-Filice commented Jan 20, 2026
edited
Loading

Would really be appreciated if this release is out asap. Since Saturday version 11.7.0 is being blocked by Xray (CVE-2026-23745).

But does it fix the mentioned vulnerability? I do not see version update in package-lock files.

Just checked - you´re right. 11.8.0 still uses tar version 7.5.2 - needs to be ^7.5.3

You're right, also with diff dependencies. Just reported to #8911

@djeevan-intel
Copy link

djeevan-intel commented Jan 20, 2026

Hopefully #8916 can be added to this release.

@github-actions github-actions bot force-pushed the release-please--branches--latest branch from 3eae5ff to cc0bb48 Compare January 21, 2026 16:49
@github-actions github-actions bot force-pushed the release-please--branches--latest branch from cc0bb48 to bda624e Compare January 21, 2026 16:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

autorelease: pending

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ro0NL @MarkWilsonInform @prajwalmr62 @Andrea-Filice @djeevan-intel