chore: release 11.8.0

[github-actions]

🤖 I have created a release beep boop

11.8.0

11.8.0 (2026-01-21)

Features

• 545e861 #8828 show proxy environment variables in npm config list (Max Black)

Bug Fixes

• c2f784d #8859 preserve serialNumber UUID in CycloneDX SBOM output [BUG] sbom cyclonedx files contain invalid serialNumber #8837 (fix: preserve serialNumber UUID in CycloneDX SBOM output #8837 #8859) (@saksham-malhotra-27)
• f2c3af7 #8840 more intuitive byte formatting boundaries for rounding (fix: more intuitive byte formatting boundaries for rounding #8840) (@watilde)

Documentation

• 3474ec3 #8866 fix typo/logic error in npm-dedupe docs (docs: fix typo/logic error in npm-dedupe docs #8866) (@Schweinepriester)
• 5552e46 #8797 npm-install: explain package-lock.json behavior (docs(npm-install): explain package-lock.json behavior #8797) (@MaxBlack-dev, Max Black)

Dependencies

• f478ca0 #8919 postcss-selector-parser@7.1.1
• 2b6a71f #8919 path-scurry@2.0.1
• 19096f2 #8919 sigstore@4.1.0
• e7f5d1e #8919 lru-cache@11.2.4
• 9e756ae #8919 ip-address@10.1.0
• f951820 #8919 common-ancestor-path@2.0.0
• 7a949ad #8919 @sigstore/verify@3.1.0
• 6979ce1 #8919 @sigstore/sign@4.1.0
• b4a6a41 #8919 @sigstore/core@3.1.0
• dc8a8e8 #8919 @sigstore/tuf@4.0.1
• be221ea #8919 validate-npm-package-name@7.0.2
• 149823d #8919 diff@8.0.3
• 32b2001 #8919 tar@7.5.4

Chores

• 8f599df #8919 pin jsdom to 27.0.0 (@wraithgar)
• f4f1161 #8919 dev dependency updates (@wraithgar)
• workspace: @npmcli/arborist@9.1.10
• workspace: @npmcli/config@10.5.0
• workspace: libnpmdiff@8.0.13
• workspace: libnpmexec@10.1.12
• workspace: libnpmfund@7.0.13
• workspace: libnpmpack@9.0.13

arborist: 9.1.10

9.1.10 (2026-01-21)

Dependencies

• f951820 #8919 common-ancestor-path@2.0.0

config: 10.5.0

10.5.0 (2026-01-21)

Features

• 5a444d5 #8828 export environment config variable names (Max Black)

libnpmdiff: 8.0.13

Dependencies

• workspace: @npmcli/arborist@9.1.10

libnpmexec: 10.1.12

Dependencies

• workspace: @npmcli/arborist@9.1.10

libnpmfund: 7.0.13

Dependencies

• workspace: @npmcli/arborist@9.1.10

libnpmpack: 9.0.13

Dependencies

• workspace: @npmcli/arborist@9.1.10

---

This PR was generated with Release Please. See documentation.

[github-actions]

Release Manager

Release workflow run: https://github.com/npm/cli/actions/runs/21217988436

Release Checklist for v11.8.0

• 1. Checkout the release branch

  Ensure git status is not dirty on this branch after resetting deps. If it is, then something is probably wrong with the automated release process.

  gh pr checkout 8853 --force

  npm run resetdeps

  node scripts/git-dirty.js

• 2. Check CI status

  gh pr checks --watch

• 3. Publish the CLI and workspaces

  Warning:
  This will publish all updated workspaces to latest, prerelease or backport depending on their version, and will publish the CLI with the dist-tag set to next-11.

  Note:
  The --test argument can optionally be omitted to run the publish process without running any tests locally.

  node scripts/publish.js --test

• 4. Optionally install and test npm@11.8.0 locally

  npm i -g npm@11.8.0

  npm --version
  npm whoami
  npm help install
  # etc

• 5. Set latest dist-tag to newly published version

  Warning:
  NOT FOR PRERELEASE: Do not run this step for prereleases or if 11 is not being set to latest.

  node . dist-tag add npm@11.8.0 latest

• 6. Trigger docs.npmjs.com update

  gh workflow run update-cli.yml --repo npm/documentation

• 7. Approve and Merge release PR

  gh pr review --approve

  gh pr merge --rebase

  git checkout latest

  git fetch

  git reset --hard origin/latest

  node . run resetdeps

• 8. Wait For Release Tags

  Warning:
  The remaining steps all require the GitHub tags and releases to be created first. These are done once this PR has been labelled with autorelease: tagged.

  Release Please will run on the just merged release commit and create GitHub releases and tags for each package. The release bot will will comment on this PR when the releases and tags are created.

  Note:
  The release workflow also includes the Node integration tests which do not need to finish before continuing.

  You can watch the release workflow in your terminal with the following command:

  gh run watch `gh run list -R npm/cli -w release -b latest -L 1 --json databaseId -q ".[0].databaseId"`
  

• 9. Mark GitHub Release as latest

  Warning:
  You must wait for CI to create the release tags before running this step. These are done once this PR has been labelled with autorelease: tagged.

  Release Please will make GitHub Releases for the CLI and all workspaces, but GitHub has UI affordances for which release should appear as the "latest", which should always be the CLI. To mark the CLI release as latest run this command:

  gh release -R npm/cli edit v11.8.0 --latest

• 10. Open nodejs/node PR to update npm to latest

  Warning:
  You must wait for CI to create the release tags before running this step. These are done once this PR has been labelled with autorelease: tagged.

  Trigger the Create Node PR action. This will open a PR on nodejs/node to the main branch.

  Note:
  The resulting PR may need to be labelled if it is not intended to land on old Node versions.

  First, sync our fork of node with the upstream source:

  gh repo sync npm/node --source nodejs/node --force

  Then, if we are opening a PR against the latest version of node:

  gh workflow run create-node-pr.yml -f spec=next-11

  If the PR should be opened on a different branch (such as when doing backports) then run it with -f branch=<BRANCH_NAME>. There is also a shortcut to target a specific Node version by specifying a major version number with -f branch=18 (or similar).

  For example, this will create a PR on nodejs/node to the v16.x-staging branch:

  gh workflow run create-node-pr.yml -f spec=next-11 -f branch=16

• 11. Label and fast-track nodejs/node PR

  Note:
  This requires being a nodejs collaborator. This could be you!

  • Thumbs-up reaction on the Fast-track comment
  • Add an LGTM / Approval
  • Add request-ci label to get it running CI
  • Add commit-queue label once everything is green

[MarkWilsonInform]

Would really be appreciated if this release is out asap. Since Saturday version 11.7.0 is being blocked by Xray (CVE-2026-23745).

[prajwalmr62]

Would really be appreciated if this release is out asap. Since Saturday version 11.7.0 is being blocked by Xray (CVE-2026-23745).

But does it fix the mentioned vulnerability? I do not see version update in package-lock files.

[MarkWilsonInform]

Would really be appreciated if this release is out asap. Since Saturday version 11.7.0 is being blocked by Xray (CVE-2026-23745).

But does it fix the mentioned vulnerability? I do not see version update in package-lock files.

Just checked - you´re right. 11.8.0 still uses tar version 7.5.2 - needs to be ^7.5.3

[Andrea-Filice]

Would really be appreciated if this release is out asap. Since Saturday version 11.7.0 is being blocked by Xray (CVE-2026-23745).

But does it fix the mentioned vulnerability? I do not see version update in package-lock files.

Just checked - you´re right. 11.8.0 still uses tar version 7.5.2 - needs to be ^7.5.3

You're right, also with diff dependencies. Just reported to #8911

[github-actions]

🤖 Created releases:

• v11.8.0

🌻

[github-actions]

🤖 Created releases:

• arborist-v9.1.10
• config-v10.5.0
• libnpmdiff-v8.0.13
• libnpmexec-v10.1.12
• libnpmfund-v7.0.13
• libnpmpack-v9.0.13

🌻

[github-actions]

Release Workflow

• @npmcli/arborist@9.1.10 https://github.com/npm/cli/releases/tag/arborist-v9.1.10
• @npmcli/config@10.5.0 https://github.com/npm/cli/releases/tag/config-v10.5.0
• libnpmdiff@8.0.13 https://github.com/npm/cli/releases/tag/libnpmdiff-v8.0.13
• libnpmexec@10.1.12 https://github.com/npm/cli/releases/tag/libnpmexec-v10.1.12
• libnpmfund@7.0.13 https://github.com/npm/cli/releases/tag/libnpmfund-v7.0.13
• libnpmpack@9.0.13 https://github.com/npm/cli/releases/tag/libnpmpack-v9.0.13
• Workflow run: ❌ https://github.com/npm/cli/actions/runs/21229227048

🚨🚨🚨

@npm/cli-team: The post-release workflow failed for this release. Manual steps may need to be taken after examining the workflow output.

🚨🚨🚨