Node v24.14.1 nsolid v6.2.2 release#445
Merged
santigimeno merged 21 commits intonode-v24.x-nsolid-v6.xfrom Mar 27, 2026
Merged
Conversation
PR-URL: nodejs-private/node-private#794 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com> Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> CVE-ID: CVE-2026-21715
PR-URL: nodejs-private/node-private#795 Reviewed-By: Anna Henningsen <anna@addaleax.net> CVE-ID: CVE-2026-21716
Wrap the owner._SNICallback() invocation in loadSNI() with try/catch to route exceptions through owner.destroy() instead of letting them become uncaught exceptions. This completes the fix from CVE-2026-21637 which added try/catch protection to callALPNCallback, onPskServerCallback, and onPskClientCallback but missed loadSNI(). Without this fix, a remote unauthenticated attacker can crash any Node.js TLS server whose SNICallback may throw on unexpected input by sending a single TLS ClientHello with a crafted server_name value. Fixes: https://hackerone.com/reports/3556769 Refs: https://hackerone.com/reports/3473882 CVE-ID: CVE-2026-21637 PR-URL: nodejs-private/node-private#819 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Robert Nagy <ronagy@icloud.com>
Use { __proto__: null } instead of {} when initializing the
headersDistinct and trailersDistinct destination objects.
A plain {} inherits from Object.prototype, so when a __proto__
header is received, dest["__proto__"] resolves to Object.prototype
(truthy), causing _addHeaderLineDistinct to call .push() on it,
which throws an uncaught TypeError and crashes the process.
Ref: https://hackerone.com/reports/3560402
PR-URL: nodejs-private/node-private#821
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
CVE-ID: CVE-2026-21710
Original commit message:
implement rapidhash secret generation
Bug: 409717082
Change-Id: I471f33d66de32002f744aeba534c1d34f71e27d2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6733490
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: snek <snek@chromium.org>
Cr-Commit-Position: refs/heads/main@{#101499}
Refs: v8/v8@0a8b1cd
Co-authored-by: Joyee Cheung <joyeec9h3@gmail.com>
PR-URL: nodejs-private/node-private#828
Original commit message:
[numbers] Refactor HashSeed as a lightweight view over ByteArray
Instead of copying the seed and secrets into a struct with value
fields, HashSeed now stores a pointer pointing either into the
read-only ByteArray, or the static default seed for off-heap
HashSeed::Default() calls. The underlying storage is always
8-byte aligned so we can cast it directly into a struct.
Change-Id: I5896a7f2ae24296eb4c80b757a5d90ac70a34866
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7609720
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/main@{#105531}
Refs: v8/v8@185f0fe
Co-authored-by: Joyee Cheung <joyeec9h3@gmail.com>
PR-URL: nodejs-private/node-private#828
Original commit message:
[strings] improve array index hash distribution
Previously, the hashes stored in a Name's raw_hash_field for decimal
numeric strings (potential array indices) consist of the literal
integer value along with the length of the string. This means
consecutive numeric strings can have consecutive hash values, which
can lead to O(n^2) probing for insertion in the worst case when e.g.
a non-numeric string happen to land in the these buckets.
This patch adds a build-time flag v8_enable_seeded_array_index_hash that
scrambles the 24-bit array-index value stored in a Name's raw_hash_field
to improve the distribution.
x ^= x >> kShift; x = (x * m1) & kMask; // round 1
x ^= x >> kShift; x = (x * m2) & kMask; // round 2
x ^= x >> kShift; // finalize
To decode, apply the same steps with the modular inverses of m1 and m2
in reverse order.
x ^= x >> kShift; x = (x * m2_inv) & kMask; // round 1
x ^= x >> kShift; x = (x * m1_inv) & kMask; // round 2
x ^= x >> kShift; // finalize
where kShift = kArrayIndexValueBits / 2, kMask = kArrayIndexValueMask,
m1, m2 (both odd) are the lower bits of the rapidhash secrets, m1_inv,
m2_inv (modular inverses) are precomputed modular inverse of m1 and m2.
The pre-computed values are appended to the hash_seed ByteArray in
ReadOnlyRoots and accessed in generated code to reduce overhead.
In call sites that don't already have access to the seeds, we read them
from the current isolate group/isolate's read only roots.
To consolidate the code that encode/decode these hashes, this patch
adds MakeArrayIndexHash/DecodeArrayIndexFromHashField in C++ and CSA
that perform seeding/unseeding if enabled, and updates places where
encoding/decoding of array index is needed to use them.
Bug: 477515021
Change-Id: I350afe511951a54c4378396538152cc56565fd55
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7564330
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/main@{#105596}
Refs: v8/v8@1361b2a
Co-authored-by: Joyee Cheung <joyeec9h3@gmail.com>
PR-URL: nodejs-private/node-private#828
This enables v8_enable_seeded_array_index_hash and add a test for it. Fixes: https://hackerone.com/reports/3511792 PR-URL: nodejs-private/node-private#828 CVE-ID: CVE-2026-21717
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: nodejs-private/node-private#816 CVE-ID: CVE-2026-21712
Use `CRYPTO_memcmp` instead of `memcmp` in `HMAC` and `KMAC` Web Cryptography algorithm implementations. Ref: https://hackerone.com/reports/3533945 PR-URL: nodejs-private/node-private#822 Backport-PR-URL: nodejs-private/node-private#822 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> CVE-ID: CVE-2026-21713
For compatibility with Python >= 3.12 we need a newer version of `depot_tools` than is used for the older versions of V8. PR-URL: nodejs/node#62344 Refs: nodejs/build#4278 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
PR-URL: nodejs/node#61892 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
PR-URL: nodejs/node#61994 Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Jordan Harband <ljharb@gmail.com>
PR-URL: nodejs/node#62035 Reviewed-By: Matthew Aitken <maitken033380023@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Richard Lau <richard.lau@ibm.com>
PR-URL: nodejs/node#62233 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Matthew Aitken <maitken033380023@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
PR-URL: nodejs/node#62271 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
This is a security release. Notable changes: build,deps,test: * (CVE-2026-21717) test array index hash collision crypto: * (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC http: * (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct permission: * (CVE-2026-21716) include permission check on lib/fs/promises * (CVE-2026-21715) add permission check to realpath.native src: * (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code * (CVE-2026-21712) handle url crash on different url formats tls: * (CVE-2026-21637) wrap SNICallback invocation in try/catch PR-URL: nodejs-private/node-private#837
2026-03-24 Node.js v24.14.1 Krypton (LTS) Release Git-EVTag-v0-SHA512: f277e7ecd26cf68bb8a0c49e457df9639c26c868eb38b041fb7c20c05078d8a76d678863dc2416e994684bf219c79ee44cf9723c29b86fd0a8110ce39a64a58f
WalkthroughThis PR updates npm from 11.9.0 to 11.11.0, introducing a new Changes
Sequence Diagram(s)sequenceDiagram
participant User as User/CLI
participant NPM as npm.js<br/>execCommandClass()
participant Cmd as TrustCommand<br/>Instance
participant Validator as validateFlags()
participant Registry as npm Registry<br/>(API)
User->>NPM: npm trust github --file=...
NPM->>Cmd: Create TrustCommand instance
NPM->>Cmd: flags(commandPath)
Cmd->>Validator: Parse argv with definitions
Validator->>Validator: Check unknown flags
Validator->>Validator: Validate required flags
Validator-->>Cmd: Return {flags, positionalArgs}
Cmd->>Cmd: flagsToOptions(flags)
Cmd->>Cmd: Confirm with user (--yes)
Cmd->>Registry: POST trust relationship
Registry-->>Cmd: Response with trust config
Cmd->>Cmd: bodyToOptions(response)
Cmd-->>User: Display trust relationship
sequenceDiagram
participant User as User Input
participant NPM as npm.js
participant Cmd as BaseCommand
participant Defs as Command.definitions<br/>(or legacy params)
participant Nopt as nopt parser
User->>NPM: CLI args with flags
NPM->>Cmd: execCommandClass(instance, args)
alt Has definitions
Cmd->>Cmd: flags(depth)
Cmd->>Defs: Load command definitions
Defs-->>Cmd: definitions array
Cmd->>Nopt: Parse with types/defaults/shorthands
Nopt-->>Cmd: Parsed flags object
Cmd->>Cmd: `#validateFlags`(parsed, defs)
Cmd->>Cmd: Warn on unknown flags
Cmd->>Cmd: Remap aliases to main keys
Cmd-->>Cmd: Return {flags, positionalArgs}
Cmd->>Cmd: exec(positionalArgs, flags)
else Legacy params
Cmd->>Cmd: exec(args)
end
Cmd-->>User: Command output
Estimated code review effort🎯 5 (Critical) | ⏱️ ~120 minutes Possibly related PRs
Suggested labels
Suggested reviewers
Poem
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@deps/npm/docs/content/configuring-npm/npmrc.md`:
- Around line 128-130: The markdown has unlabeled fenced code blocks causing
MD040; update the three unlabeled blocks so each has a language specifier: add
"text" to the block containing the literal npm_package_config_mirror and the
block containing the warn Unknown user config "electron_mirror" message, and add
"bash" to the block containing the npm run build -- --customFlag example; locate
those blocks by searching for the snippets "npm_package_config_mirror", "npm run
build -- --customFlag", and "warn Unknown user config \"electron_mirror\"" and
prepend the appropriate language after the opening ``` fence.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: cc7755b0-59c7-4367-8777-c663106329e9
⛔ Files ignored due to path filters (60)
deps/npm/node_modules/@gar/promise-retry/LICENSEis excluded by!**/node_modules/**deps/npm/node_modules/@gar/promise-retry/lib/index.jsis excluded by!**/node_modules/**deps/npm/node_modules/@gar/promise-retry/node_modules/retry/Licenseis excluded by!**/node_modules/**deps/npm/node_modules/@gar/promise-retry/node_modules/retry/example/dns.jsis excluded by!**/node_modules/**deps/npm/node_modules/@gar/promise-retry/node_modules/retry/example/stop.jsis excluded by!**/node_modules/**deps/npm/node_modules/@gar/promise-retry/node_modules/retry/index.jsis excluded by!**/node_modules/**deps/npm/node_modules/@gar/promise-retry/node_modules/retry/lib/retry.jsis excluded by!**/node_modules/**deps/npm/node_modules/@gar/promise-retry/node_modules/retry/lib/retry_operation.jsis excluded by!**/node_modules/**deps/npm/node_modules/@gar/promise-retry/node_modules/retry/package.jsonis excluded by!**/node_modules/**deps/npm/node_modules/@gar/promise-retry/package.jsonis excluded by!**/node_modules/**deps/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.jsis excluded by!**/node_modules/**deps/npm/node_modules/@npmcli/arborist/lib/arborist/isolated-reifier.jsis excluded by!**/node_modules/**deps/npm/node_modules/@npmcli/arborist/lib/arborist/rebuild.jsis excluded by!**/node_modules/**deps/npm/node_modules/@npmcli/arborist/lib/arborist/reify.jsis excluded by!**/node_modules/**deps/npm/node_modules/@npmcli/arborist/lib/dep-valid.jsis excluded by!**/node_modules/**deps/npm/node_modules/@npmcli/arborist/lib/query-selector-all.jsis excluded by!**/node_modules/**deps/npm/node_modules/@npmcli/arborist/lib/shrinkwrap.jsis excluded by!**/node_modules/**deps/npm/node_modules/@npmcli/arborist/package.jsonis excluded by!**/node_modules/**deps/npm/node_modules/@npmcli/config/lib/definitions/definition.jsis excluded by!**/node_modules/**deps/npm/node_modules/@npmcli/config/lib/definitions/definitions.jsis excluded by!**/node_modules/**deps/npm/node_modules/@npmcli/config/lib/index.jsis excluded by!**/node_modules/**deps/npm/node_modules/@npmcli/config/package.jsonis excluded by!**/node_modules/**deps/npm/node_modules/@npmcli/git/lib/spawn.jsis excluded by!**/node_modules/**deps/npm/node_modules/@npmcli/git/package.jsonis excluded by!**/node_modules/**deps/npm/node_modules/@npmcli/package-json/lib/license.jsis excluded by!**/node_modules/**deps/npm/node_modules/@npmcli/package-json/lib/normalize-data.jsis excluded by!**/node_modules/**deps/npm/node_modules/@npmcli/package-json/package.jsonis excluded by!**/node_modules/**deps/npm/node_modules/ansi-regex/index.jsis excluded by!**/node_modules/**deps/npm/node_modules/ansi-regex/licenseis excluded by!**/node_modules/**deps/npm/node_modules/ansi-regex/package.jsonis excluded by!**/node_modules/**deps/npm/node_modules/balanced-match/LICENSE.mdis excluded by!**/node_modules/**deps/npm/node_modules/balanced-match/dist/commonjs/index.jsis excluded by!**/dist/**,!**/node_modules/**deps/npm/node_modules/balanced-match/dist/commonjs/package.jsonis excluded by!**/dist/**,!**/node_modules/**deps/npm/node_modules/balanced-match/dist/esm/index.jsis excluded by!**/dist/**,!**/node_modules/**deps/npm/node_modules/balanced-match/dist/esm/package.jsonis excluded by!**/dist/**,!**/node_modules/**deps/npm/node_modules/balanced-match/package.jsonis excluded by!**/node_modules/**deps/npm/node_modules/brace-expansion/LICENSEis excluded by!**/node_modules/**deps/npm/node_modules/brace-expansion/dist/commonjs/index.jsis excluded by!**/dist/**,!**/node_modules/**deps/npm/node_modules/brace-expansion/dist/commonjs/package.jsonis excluded by!**/dist/**,!**/node_modules/**deps/npm/node_modules/brace-expansion/dist/esm/index.jsis excluded by!**/dist/**,!**/node_modules/**deps/npm/node_modules/brace-expansion/dist/esm/package.jsonis excluded by!**/dist/**,!**/node_modules/**deps/npm/node_modules/brace-expansion/package.jsonis excluded by!**/node_modules/**deps/npm/node_modules/cidr-regex/dist/index.jsis excluded by!**/dist/**,!**/node_modules/**deps/npm/node_modules/cidr-regex/package.jsonis excluded by!**/node_modules/**deps/npm/node_modules/cli-columns/color.jsis excluded by!**/node_modules/**deps/npm/node_modules/cli-columns/index.jsis excluded by!**/node_modules/**deps/npm/node_modules/cli-columns/licenseis excluded by!**/node_modules/**deps/npm/node_modules/cli-columns/package.jsonis excluded by!**/node_modules/**deps/npm/node_modules/cli-columns/test.jsis excluded by!**/node_modules/**deps/npm/node_modules/emoji-regex/LICENSE-MIT.txtis excluded by!**/node_modules/**deps/npm/node_modules/emoji-regex/es2015/index.jsis excluded by!**/node_modules/**deps/npm/node_modules/emoji-regex/es2015/text.jsis excluded by!**/node_modules/**deps/npm/node_modules/emoji-regex/index.jsis excluded by!**/node_modules/**deps/npm/node_modules/emoji-regex/package.jsonis excluded by!**/node_modules/**deps/npm/node_modules/emoji-regex/text.jsis excluded by!**/node_modules/**deps/npm/node_modules/encoding/lib/encoding.jsis excluded by!**/node_modules/**deps/npm/node_modules/encoding/package.jsonis excluded by!**/node_modules/**deps/npm/node_modules/encoding/test/test.jsis excluded by!**/node_modules/**deps/npm/node_modules/glob/dist/commonjs/glob.jsis excluded by!**/dist/**,!**/node_modules/**deps/npm/node_modules/glob/dist/commonjs/index.min.jsis excluded by!**/dist/**,!**/node_modules/**,!**/*.min.js
📒 Files selected for processing (240)
CHANGELOG.mdcommon.gypideps/npm/README.mddeps/npm/docs/content/commands/npm-get.mddeps/npm/docs/content/commands/npm-install-test.mddeps/npm/docs/content/commands/npm-install.mddeps/npm/docs/content/commands/npm-ll.mddeps/npm/docs/content/commands/npm-ls.mddeps/npm/docs/content/commands/npm-outdated.mddeps/npm/docs/content/commands/npm-set.mddeps/npm/docs/content/commands/npm-trust.mddeps/npm/docs/content/commands/npm-update.mddeps/npm/docs/content/commands/npm.mddeps/npm/docs/content/configuring-npm/folders.mddeps/npm/docs/content/configuring-npm/install.mddeps/npm/docs/content/configuring-npm/npmrc.mddeps/npm/docs/content/using-npm/config.mddeps/npm/docs/content/using-npm/dependency-selectors.mddeps/npm/docs/content/using-npm/developers.mddeps/npm/docs/content/using-npm/logging.mddeps/npm/docs/content/using-npm/orgs.mddeps/npm/docs/content/using-npm/package-spec.mddeps/npm/docs/content/using-npm/registry.mddeps/npm/docs/content/using-npm/removal.mddeps/npm/docs/content/using-npm/scope.mddeps/npm/docs/content/using-npm/scripts.mddeps/npm/docs/content/using-npm/workspaces.mddeps/npm/docs/lib/index.jsdeps/npm/docs/output/commands/npm-access.htmldeps/npm/docs/output/commands/npm-adduser.htmldeps/npm/docs/output/commands/npm-audit.htmldeps/npm/docs/output/commands/npm-bugs.htmldeps/npm/docs/output/commands/npm-cache.htmldeps/npm/docs/output/commands/npm-ci.htmldeps/npm/docs/output/commands/npm-completion.htmldeps/npm/docs/output/commands/npm-config.htmldeps/npm/docs/output/commands/npm-dedupe.htmldeps/npm/docs/output/commands/npm-deprecate.htmldeps/npm/docs/output/commands/npm-diff.htmldeps/npm/docs/output/commands/npm-dist-tag.htmldeps/npm/docs/output/commands/npm-docs.htmldeps/npm/docs/output/commands/npm-doctor.htmldeps/npm/docs/output/commands/npm-edit.htmldeps/npm/docs/output/commands/npm-exec.htmldeps/npm/docs/output/commands/npm-explain.htmldeps/npm/docs/output/commands/npm-explore.htmldeps/npm/docs/output/commands/npm-find-dupes.htmldeps/npm/docs/output/commands/npm-fund.htmldeps/npm/docs/output/commands/npm-get.htmldeps/npm/docs/output/commands/npm-help-search.htmldeps/npm/docs/output/commands/npm-help.htmldeps/npm/docs/output/commands/npm-init.htmldeps/npm/docs/output/commands/npm-install-ci-test.htmldeps/npm/docs/output/commands/npm-install-test.htmldeps/npm/docs/output/commands/npm-install.htmldeps/npm/docs/output/commands/npm-link.htmldeps/npm/docs/output/commands/npm-ll.htmldeps/npm/docs/output/commands/npm-login.htmldeps/npm/docs/output/commands/npm-logout.htmldeps/npm/docs/output/commands/npm-ls.htmldeps/npm/docs/output/commands/npm-org.htmldeps/npm/docs/output/commands/npm-outdated.htmldeps/npm/docs/output/commands/npm-owner.htmldeps/npm/docs/output/commands/npm-pack.htmldeps/npm/docs/output/commands/npm-ping.htmldeps/npm/docs/output/commands/npm-pkg.htmldeps/npm/docs/output/commands/npm-prefix.htmldeps/npm/docs/output/commands/npm-profile.htmldeps/npm/docs/output/commands/npm-prune.htmldeps/npm/docs/output/commands/npm-publish.htmldeps/npm/docs/output/commands/npm-query.htmldeps/npm/docs/output/commands/npm-rebuild.htmldeps/npm/docs/output/commands/npm-repo.htmldeps/npm/docs/output/commands/npm-restart.htmldeps/npm/docs/output/commands/npm-root.htmldeps/npm/docs/output/commands/npm-run.htmldeps/npm/docs/output/commands/npm-sbom.htmldeps/npm/docs/output/commands/npm-search.htmldeps/npm/docs/output/commands/npm-set.htmldeps/npm/docs/output/commands/npm-shrinkwrap.htmldeps/npm/docs/output/commands/npm-star.htmldeps/npm/docs/output/commands/npm-stars.htmldeps/npm/docs/output/commands/npm-start.htmldeps/npm/docs/output/commands/npm-stop.htmldeps/npm/docs/output/commands/npm-team.htmldeps/npm/docs/output/commands/npm-test.htmldeps/npm/docs/output/commands/npm-token.htmldeps/npm/docs/output/commands/npm-trust.htmldeps/npm/docs/output/commands/npm-undeprecate.htmldeps/npm/docs/output/commands/npm-uninstall.htmldeps/npm/docs/output/commands/npm-unpublish.htmldeps/npm/docs/output/commands/npm-unstar.htmldeps/npm/docs/output/commands/npm-update.htmldeps/npm/docs/output/commands/npm-version.htmldeps/npm/docs/output/commands/npm-view.htmldeps/npm/docs/output/commands/npm-whoami.htmldeps/npm/docs/output/commands/npm.htmldeps/npm/docs/output/commands/npx.htmldeps/npm/docs/output/configuring-npm/folders.htmldeps/npm/docs/output/configuring-npm/install.htmldeps/npm/docs/output/configuring-npm/npm-global.htmldeps/npm/docs/output/configuring-npm/npm-json.htmldeps/npm/docs/output/configuring-npm/npm-shrinkwrap-json.htmldeps/npm/docs/output/configuring-npm/npmrc.htmldeps/npm/docs/output/configuring-npm/package-json.htmldeps/npm/docs/output/configuring-npm/package-lock-json.htmldeps/npm/docs/output/using-npm/config.htmldeps/npm/docs/output/using-npm/dependency-selectors.htmldeps/npm/docs/output/using-npm/developers.htmldeps/npm/docs/output/using-npm/logging.htmldeps/npm/docs/output/using-npm/orgs.htmldeps/npm/docs/output/using-npm/package-spec.htmldeps/npm/docs/output/using-npm/registry.htmldeps/npm/docs/output/using-npm/removal.htmldeps/npm/docs/output/using-npm/scope.htmldeps/npm/docs/output/using-npm/scripts.htmldeps/npm/docs/output/using-npm/workspaces.htmldeps/npm/lib/base-cmd.jsdeps/npm/lib/commands/cache.jsdeps/npm/lib/commands/completion.jsdeps/npm/lib/commands/doctor.jsdeps/npm/lib/commands/edit.jsdeps/npm/lib/commands/explain.jsdeps/npm/lib/commands/explore.jsdeps/npm/lib/commands/fund.jsdeps/npm/lib/commands/get.jsdeps/npm/lib/commands/install.jsdeps/npm/lib/commands/ls.jsdeps/npm/lib/commands/rebuild.jsdeps/npm/lib/commands/run.jsdeps/npm/lib/commands/set.jsdeps/npm/lib/commands/team.jsdeps/npm/lib/commands/trust/circleci.jsdeps/npm/lib/commands/trust/github.jsdeps/npm/lib/commands/trust/gitlab.jsdeps/npm/lib/commands/trust/index.jsdeps/npm/lib/commands/trust/list.jsdeps/npm/lib/commands/trust/revoke.jsdeps/npm/lib/commands/uninstall.jsdeps/npm/lib/commands/update.jsdeps/npm/lib/commands/view.jsdeps/npm/lib/npm.jsdeps/npm/lib/trust-cmd.jsdeps/npm/lib/utils/cmd-list.jsdeps/npm/lib/utils/display.jsdeps/npm/lib/utils/npm-usage.jsdeps/npm/lib/utils/oidc.jsdeps/npm/lib/utils/reify-output.jsdeps/npm/lib/utils/sbom-cyclonedx.jsdeps/npm/lib/utils/sbom-spdx.jsdeps/npm/lib/utils/verify-signatures.jsdeps/npm/man/man1/npm-access.1deps/npm/man/man1/npm-adduser.1deps/npm/man/man1/npm-audit.1deps/npm/man/man1/npm-bugs.1deps/npm/man/man1/npm-cache.1deps/npm/man/man1/npm-ci.1deps/npm/man/man1/npm-completion.1deps/npm/man/man1/npm-config.1deps/npm/man/man1/npm-dedupe.1deps/npm/man/man1/npm-deprecate.1deps/npm/man/man1/npm-diff.1deps/npm/man/man1/npm-dist-tag.1deps/npm/man/man1/npm-docs.1deps/npm/man/man1/npm-doctor.1deps/npm/man/man1/npm-edit.1deps/npm/man/man1/npm-exec.1deps/npm/man/man1/npm-explain.1deps/npm/man/man1/npm-explore.1deps/npm/man/man1/npm-find-dupes.1deps/npm/man/man1/npm-fund.1deps/npm/man/man1/npm-get.1deps/npm/man/man1/npm-help-search.1deps/npm/man/man1/npm-help.1deps/npm/man/man1/npm-init.1deps/npm/man/man1/npm-install-ci-test.1deps/npm/man/man1/npm-install-test.1deps/npm/man/man1/npm-install.1deps/npm/man/man1/npm-link.1deps/npm/man/man1/npm-ll.1deps/npm/man/man1/npm-login.1deps/npm/man/man1/npm-logout.1deps/npm/man/man1/npm-ls.1deps/npm/man/man1/npm-org.1deps/npm/man/man1/npm-outdated.1deps/npm/man/man1/npm-owner.1deps/npm/man/man1/npm-pack.1deps/npm/man/man1/npm-ping.1deps/npm/man/man1/npm-pkg.1deps/npm/man/man1/npm-prefix.1deps/npm/man/man1/npm-profile.1deps/npm/man/man1/npm-prune.1deps/npm/man/man1/npm-publish.1deps/npm/man/man1/npm-query.1deps/npm/man/man1/npm-rebuild.1deps/npm/man/man1/npm-repo.1deps/npm/man/man1/npm-restart.1deps/npm/man/man1/npm-root.1deps/npm/man/man1/npm-run.1deps/npm/man/man1/npm-sbom.1deps/npm/man/man1/npm-search.1deps/npm/man/man1/npm-set.1deps/npm/man/man1/npm-shrinkwrap.1deps/npm/man/man1/npm-star.1deps/npm/man/man1/npm-stars.1deps/npm/man/man1/npm-start.1deps/npm/man/man1/npm-stop.1deps/npm/man/man1/npm-team.1deps/npm/man/man1/npm-test.1deps/npm/man/man1/npm-token.1deps/npm/man/man1/npm-trust.1deps/npm/man/man1/npm-undeprecate.1deps/npm/man/man1/npm-uninstall.1deps/npm/man/man1/npm-unpublish.1deps/npm/man/man1/npm-unstar.1deps/npm/man/man1/npm-update.1deps/npm/man/man1/npm-version.1deps/npm/man/man1/npm-view.1deps/npm/man/man1/npm-whoami.1deps/npm/man/man1/npm.1deps/npm/man/man1/npx.1deps/npm/man/man5/folders.5deps/npm/man/man5/install.5deps/npm/man/man5/npm-global.5deps/npm/man/man5/npm-json.5deps/npm/man/man5/npm-shrinkwrap-json.5deps/npm/man/man5/npmrc.5deps/npm/man/man5/package-json.5deps/npm/man/man5/package-lock-json.5deps/npm/man/man7/config.7deps/npm/man/man7/dependency-selectors.7deps/npm/man/man7/developers.7deps/npm/man/man7/logging.7deps/npm/man/man7/orgs.7deps/npm/man/man7/package-spec.7deps/npm/man/man7/registry.7deps/npm/man/man7/removal.7deps/npm/man/man7/scope.7deps/npm/man/man7/scripts.7deps/npm/man/man7/workspaces.7
💤 Files with no reviewable changes (10)
- deps/npm/lib/commands/edit.js
- deps/npm/lib/commands/explain.js
- deps/npm/lib/commands/explore.js
- deps/npm/lib/commands/fund.js
- deps/npm/lib/commands/get.js
- deps/npm/lib/commands/ls.js
- deps/npm/lib/commands/uninstall.js
- deps/npm/lib/commands/update.js
- deps/npm/lib/commands/rebuild.js
- deps/npm/lib/commands/set.js
RafaelGSS
approved these changes
Mar 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
12 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by CodeRabbit
Release Notes
New Features
npm trustcommand for managing trusted publishing relationships with CI/CD providers (GitHub, GitLab, CircleCI) via OIDC.npm getandnpm setcommands for configuration management.npm llcommand (alias for listing installed packages).min-release-ageconfiguration option to filter package versions by release age for install, update, and outdated commands.Documentation
.npmrcconfiguration keys.