chore: release 11.17.0

Author: github-actions[bot]

.release-please-manifest.json

@@ -1,15 +1,15 @@
 {
-  ".": "11.16.0",
-  "workspaces/arborist": "9.7.0",
+  ".": "11.17.0",
+  "workspaces/arborist": "9.8.0",
   "workspaces/libnpmaccess": "10.0.3",
-  "workspaces/libnpmdiff": "8.1.9",
-  "workspaces/libnpmexec": "10.2.9",
-  "workspaces/libnpmfund": "7.0.23",
+  "workspaces/libnpmdiff": "8.1.10",
+  "workspaces/libnpmexec": "10.3.0",
+  "workspaces/libnpmfund": "7.0.24",
   "workspaces/libnpmorg": "8.0.1",
-  "workspaces/libnpmpack": "9.1.9",
+  "workspaces/libnpmpack": "9.1.10",
   "workspaces/libnpmpublish": "11.2.0",
   "workspaces/libnpmsearch": "9.0.1",
   "workspaces/libnpmteam": "8.0.2",
   "workspaces/libnpmversion": "8.0.4",
-  "workspaces/config": "10.10.0"
+  "workspaces/config": "10.10.1"
 }

CHANGELOG.md

@@ -1,5 +1,35 @@
 # Changelog
 
+## [11.17.0](https://github.com/npm/cli/compare/v11.16.0...v11.17.0) (2026-06-08)
+### Features
+* [`8ff3e48`](https://github.com/npm/cli/commit/8ff3e48113a53576a8d450d7d5a1cb190a1986e1) [#9483](https://github.com/npm/cli/pull/9483) allowScripts tooling and inBundle hardening (#9483) (@github-actions[bot], @JamieMagee)
+### Bug Fixes
+* [`351a309`](https://github.com/npm/cli/commit/351a309e7c625b79cfb0c9fbaa2dc9a544509f70) [#9499](https://github.com/npm/cli/pull/9499) pass script-shell to publish lifecycle hooks (#9499) (@github-actions[bot])
+* [`4fa81df`](https://github.com/npm/cli/commit/4fa81dfedab4bf39e85d828f217a70210afd6dac) [#9497](https://github.com/npm/cli/pull/9497) recognize allowScripts for local link targets (#9497) (@github-actions[bot], @cyphercodes, @cyphercodes)
+* [`95cf2e9`](https://github.com/npm/cli/commit/95cf2e9efea892023387f3aec6062b8a7e8f1a60) [#9489](https://github.com/npm/cli/pull/9489) validate registry path for allow-remote tarballs (@Abhinav-143x)
+* [`9dd219b`](https://github.com/npm/cli/commit/9dd219b20ec3a1c7e46b23209b4619b872f1b604) [#9462](https://github.com/npm/cli/pull/9462) respect allowScripts policy in prune, dedupe, uninstall, audit, and link (#9462) (@github-actions[bot], @JamieMagee)
+* [`cd8d18a`](https://github.com/npm/cli/commit/cd8d18a66832856c5cc2ba90dc7c8b0f3dbe476b) [#9482](https://github.com/npm/cli/pull/9482) list pending scripts in approve-scripts when ignore-scripts is set (#9482) (@github-actions[bot], @JamieMagee)
+* [`c14e87c`](https://github.com/npm/cli/commit/c14e87c5d84a81ebe14ebe9c68e050ee6ec0fded) [#9481](https://github.com/npm/cli/pull/9481) suggest --allow-scripts for global installs in unreviewed-scripts warnings (#9481) (@github-actions[bot], @JamieMagee)
+* [`7ade52e`](https://github.com/npm/cli/commit/7ade52ea4059ca75e83f10e892b24581624acef9) [#9465](https://github.com/npm/cli/pull/9465) invalid issue template YAML indentation (#9465) (@github-actions[bot], @fallintoplace)
+* [`c069622`](https://github.com/npm/cli/commit/c0696225d8792e461989214ba7d8886dfd862b4a) [#9464](https://github.com/npm/cli/pull/9464) show full parent command path in subcommand usage errors (#9464) (@owlstronaut)
+* [`1bb62bb`](https://github.com/npm/cli/commit/1bb62bb639d1f791a0c51d236fba01c25c58992e) [#9454](https://github.com/npm/cli/pull/9454) config: clarify --all help so it's accurate for approve-scripts and deny-scripts (@JamieMagee)
+* [`84eeb5f`](https://github.com/npm/cli/commit/84eeb5fe9db14e01ebc44999ebe126224a78eb83) [#9431](https://github.com/npm/cli/pull/9431) audit: don't apply min-release-age before filter when verifying installed signatures (@JamieMagee)
+* [`3bd3377`](https://github.com/npm/cli/commit/3bd3377f207732b47655ea3a896d53046df199c4) [#9426](https://github.com/npm/cli/pull/9426) block forbidden keys in Queryable setter to prevent prototype pollution (@12122J, @claude)
+### Documentation
+* [`693bb3d`](https://github.com/npm/cli/commit/693bb3de834f4611bf41785be357dc4598a2aaae) [#9508](https://github.com/npm/cli/pull/9508) clarify package.json override value specs (#9508) (@github-actions[bot], @ded-furby)
+* [`ccffe4a`](https://github.com/npm/cli/commit/ccffe4a917e1b9faf6e8fa9ab3a2856819e29e3a) [#9501](https://github.com/npm/cli/pull/9501) use the latest version for global update and outdated's `wanted` (#9501) (@github-actions[bot], @liangmiQwQ)
+* [`66e97c2`](https://github.com/npm/cli/commit/66e97c20003b43d80c464b89fb1e1c8c6b5c9433) [#9478](https://github.com/npm/cli/pull/9478) update minimum npm required for npm trust (@meeech)
+
+
+### Dependencies
+
+* [workspace](https://github.com/npm/cli/releases/tag/arborist-v9.8.0): `@npmcli/arborist@9.8.0`
+* [workspace](https://github.com/npm/cli/releases/tag/config-v10.10.1): `@npmcli/config@10.10.1`
+* [workspace](https://github.com/npm/cli/releases/tag/libnpmdiff-v8.1.10): `libnpmdiff@8.1.10`
+* [workspace](https://github.com/npm/cli/releases/tag/libnpmexec-v10.3.0): `libnpmexec@10.3.0`
+* [workspace](https://github.com/npm/cli/releases/tag/libnpmfund-v7.0.24): `libnpmfund@7.0.24`
+* [workspace](https://github.com/npm/cli/releases/tag/libnpmpack-v9.1.10): `libnpmpack@9.1.10`
+
 ## [11.16.0](https://github.com/npm/cli/compare/v11.15.0...v11.16.0) (2026-05-27)
 ### Features
 * [`4b67f6e`](https://github.com/npm/cli/commit/4b67f6ed21a8bf7e47ae78b7fc9cc9fbdfa95057) [#9416](https://github.com/npm/cli/pull/9416) publish --access=private alias for restricted (#9416) (@github-actions[bot], @reggi, @Copilot)

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "npm",
-  "version": "11.16.0",
+  "version": "11.17.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "npm",
-      "version": "11.16.0",
+      "version": "11.17.0",
       "bundleDependencies": [
         "@isaacs/string-locale-compare",
         "@npmcli/arborist",
@@ -14605,7 +14605,7 @@
     },
     "workspaces/arborist": {
       "name": "@npmcli/arborist",
-      "version": "9.7.0",
+      "version": "9.8.0",
       "license": "ISC",
       "dependencies": {
         "@gar/promise-retry": "^1.0.0",
@@ -14663,7 +14663,7 @@
     },
     "workspaces/config": {
       "name": "@npmcli/config",
-      "version": "10.10.0",
+      "version": "10.10.1",
       "license": "ISC",
       "dependencies": {
         "@npmcli/map-workspaces": "^5.0.0",
@@ -14703,10 +14703,10 @@
       }
     },
     "workspaces/libnpmdiff": {
-      "version": "8.1.9",
+      "version": "8.1.10",
       "license": "ISC",
       "dependencies": {
-        "@npmcli/arborist": "^9.7.0",
+        "@npmcli/arborist": "^9.8.0",
         "@npmcli/installed-package-contents": "^4.0.0",
         "binary-extensions": "^3.0.0",
         "diff": "^8.0.2",
@@ -14725,11 +14725,11 @@
       }
     },
     "workspaces/libnpmexec": {
-      "version": "10.2.9",
+      "version": "10.3.0",
       "license": "ISC",
       "dependencies": {
         "@gar/promise-retry": "^1.0.0",
-        "@npmcli/arborist": "^9.7.0",
+        "@npmcli/arborist": "^9.8.0",
         "@npmcli/package-json": "^7.0.0",
         "@npmcli/run-script": "^10.0.0",
         "ci-info": "^4.0.0",
@@ -14756,10 +14756,10 @@
       }
     },
     "workspaces/libnpmfund": {
-      "version": "7.0.23",
+      "version": "7.0.24",
       "license": "ISC",
       "dependencies": {
-        "@npmcli/arborist": "^9.7.0"
+        "@npmcli/arborist": "^9.8.0"
       },
       "devDependencies": {
         "@npmcli/eslint-config": "^5.0.1",
@@ -14789,10 +14789,10 @@
       }
     },
     "workspaces/libnpmpack": {
-      "version": "9.1.9",
+      "version": "9.1.10",
       "license": "ISC",
       "dependencies": {
-        "@npmcli/arborist": "^9.7.0",
+        "@npmcli/arborist": "^9.8.0",
         "@npmcli/run-script": "^10.0.0",
         "npm-package-arg": "^13.0.0",
         "pacote": "^21.0.2"

package.json

@@ -1,5 +1,5 @@
 {
-  "version": "11.16.0",
+  "version": "11.17.0",
   "name": "npm",
   "description": "a package manager for JavaScript",
   "workspaces": [
@@ -52,8 +52,8 @@
   },
   "dependencies": {
     "@isaacs/string-locale-compare": "^1.1.0",
-    "@npmcli/arborist": "^9.7.0",
-    "@npmcli/config": "^10.10.0",
+    "@npmcli/arborist": "^9.8.0",
+    "@npmcli/config": "^10.10.1",
     "@npmcli/fs": "^5.0.0",
     "@npmcli/map-workspaces": "^5.0.3",
     "@npmcli/metavuln-calculator": "^9.0.3",
@@ -77,11 +77,11 @@
     "is-cidr": "^6.0.4",
     "json-parse-even-better-errors": "^5.0.0",
     "libnpmaccess": "^10.0.3",
-    "libnpmdiff": "^8.1.9",
-    "libnpmexec": "^10.2.9",
-    "libnpmfund": "^7.0.23",
+    "libnpmdiff": "^8.1.10",
+    "libnpmexec": "^10.3.0",
+    "libnpmfund": "^7.0.24",
     "libnpmorg": "^8.0.1",
-    "libnpmpack": "^9.1.9",
+    "libnpmpack": "^9.1.10",
     "libnpmpublish": "^11.2.0",
     "libnpmsearch": "^9.0.1",
     "libnpmteam": "^8.0.2",

workspaces/arborist/CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## [9.8.0](https://github.com/npm/cli/compare/arborist-v9.7.0...arborist-v9.8.0) (2026-06-08)
+### Features
+* [`8ff3e48`](https://github.com/npm/cli/commit/8ff3e48113a53576a8d450d7d5a1cb190a1986e1) [#9483](https://github.com/npm/cli/pull/9483) allowScripts tooling and inBundle hardening (#9483) (@github-actions[bot], @JamieMagee)
+### Bug Fixes
+* [`66408d7`](https://github.com/npm/cli/commit/66408d7f423313dd0daa7fa9356c4d5fe25ee86c) [#9500](https://github.com/npm/cli/pull/9500) arborist: apply registry-tarball allow-remote exemption in linked strategy (#9500) (@github-actions[bot], @manzoorwanijk)
+* [`4fa81df`](https://github.com/npm/cli/commit/4fa81dfedab4bf39e85d828f217a70210afd6dac) [#9497](https://github.com/npm/cli/pull/9497) recognize allowScripts for local link targets (#9497) (@github-actions[bot], @cyphercodes, @cyphercodes)
+* [`95cf2e9`](https://github.com/npm/cli/commit/95cf2e9efea892023387f3aec6062b8a7e8f1a60) [#9489](https://github.com/npm/cli/pull/9489) validate registry path for allow-remote tarballs (@Abhinav-143x)
+* [`869cb9a`](https://github.com/npm/cli/commit/869cb9a1ef5627872830935024be94d60102b514) [#9485](https://github.com/npm/cli/pull/9485) arborist: link meta-only optional peers in linked strategy (@manzoorwanijk)
+* [`d41a9e3`](https://github.com/npm/cli/commit/d41a9e3494135593c2bbd0010e0b21b5adc6ee90) [#9484](https://github.com/npm/cli/pull/9484) arborist: clean up orphaned scoped store entries in linked strategy (@manzoorwanijk)
+* [`39d034d`](https://github.com/npm/cli/commit/39d034d7bee3f523ebfac8215e924d466722d101) [#9455](https://github.com/npm/cli/pull/9455) sanitize package name in linked-strategy path construction (@owlstronaut)
+* [`d59c964`](https://github.com/npm/cli/commit/d59c96413f6c731b3df87556efe4f0a9706d0a6d) [#9451](https://github.com/npm/cli/pull/9451) reject path traversal entries when inflating dependency shrinkwraps (@owlstronaut)
+* [`c9045d5`](https://github.com/npm/cli/commit/c9045d5885fa1338b7d32fa845aea0bfeab01657) [#9429](https://github.com/npm/cli/pull/9429) arborist: read install scripts from disk on lockfile installs instead of a sentinel (@JamieMagee)
+
 ## [9.7.0](https://github.com/npm/cli/compare/arborist-v9.6.0...arborist-v9.7.0) (2026-05-27)
 ### Features
 * [`a10c7ca`](https://github.com/npm/cli/commit/a10c7caf3ad9d2d5e17234c5c5e615dbce7717f9) [#9415](https://github.com/npm/cli/pull/9415) Phase 1 of `allowScripts` opt-in install-script policy (#9360) (#9415) (@owlstronaut, @JamieMagee)

workspaces/arborist/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/arborist",
-  "version": "9.7.0",
+  "version": "9.8.0",
   "description": "Manage node_modules trees",
   "dependencies": {
     "@gar/promise-retry": "^1.0.0",

workspaces/config/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## [10.10.1](https://github.com/npm/cli/compare/config-v10.10.0...config-v10.10.1) (2026-06-08)
+### Bug Fixes
+* [`1bb62bb`](https://github.com/npm/cli/commit/1bb62bb639d1f791a0c51d236fba01c25c58992e) [#9454](https://github.com/npm/cli/pull/9454) config: clarify --all help so it's accurate for approve-scripts and deny-scripts (@JamieMagee)
+
 ## [10.10.0](https://github.com/npm/cli/compare/config-v10.9.1...config-v10.10.0) (2026-05-27)
 ### Features
 * [`4b67f6e`](https://github.com/npm/cli/commit/4b67f6ed21a8bf7e47ae78b7fc9cc9fbdfa95057) [#9416](https://github.com/npm/cli/pull/9416) publish --access=private alias for restricted (#9416) (@github-actions[bot], @reggi, @Copilot)

workspaces/config/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/config",
-  "version": "10.10.0",
+  "version": "10.10.1",
   "files": [
     "bin/",
     "lib/"

workspaces/libnpmdiff/CHANGELOG.md

@@ -80,6 +80,10 @@
 
 * [workspace](https://github.com/npm/cli/releases/tag/arborist-v9.7.0): `@npmcli/arborist@9.7.0`
 
+### Dependencies
+
+* [workspace](https://github.com/npm/cli/releases/tag/arborist-v9.8.0): `@npmcli/arborist@9.8.0`
+
 ## [8.1.0](https://github.com/npm/cli/compare/libnpmdiff-v8.0.13...libnpmdiff-v8.1.0) (2026-02-04)
 ### Features
 * [`f5f6cf7`](https://github.com/npm/cli/commit/f5f6cf7c9fc9315b96eb29c5c7d5ab63ad3a9122) [#8943](https://github.com/npm/cli/pull/8943) config: add --allow-git (@wraithgar)

workspaces/libnpmdiff/package.json

@@ -1,6 +1,6 @@
 {
   "name": "libnpmdiff",
-  "version": "8.1.9",
+  "version": "8.1.10",
   "description": "The registry diff",
   "repository": {
     "type": "git",
@@ -47,7 +47,7 @@
     "tap": "^16.3.8"
   },
   "dependencies": {
-    "@npmcli/arborist": "^9.7.0",
+    "@npmcli/arborist": "^9.8.0",
     "@npmcli/installed-package-contents": "^4.0.0",
     "binary-extensions": "^3.0.0",
     "diff": "^8.0.2",