fix(deps): update dependency npm to v11.9.0 [security]

[renovate-sh-app]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
npm (source)	11.4.2 → 11.9.0

---

npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability

CVE-2026-0775 / GHSA-3966-f6p6-2qr9

More information

Details

npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user.

Severity

• CVSS Score: 7.0 / 10 (High)
• Vector String: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-0775
• https://github.com/npm/cli/issues/8939
• https://github.com/npm/cli
• https://www.zerodayinitiative.com/advisories/ZDI-26-043

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

npm/cli (npm)

v11.9.0

Compare Source

Features

• f5f6cf7 #​8943 config: add --allow-git (@​wraithgar)

Bug Fixes

• 2242f25 #​8952 webauth: improve error messages around webauth in non-TTY (#​8952) (@​Andarist)

Dependencies

• 332c9f3 #​8960 glob@13.0.1
• eca02c7 #​8960 minimatch@10.1.2 @isaacs/brace-expansion@5.0.1
• b3f8475 #​8951 minipass-fetch@5.0.1
• 924171b #​8951 is-cidr@6.0.2
• 4404002 #​8951 ci-info@4.4.0
• b65af73 #​8951 lru-cache@11.2.5
• 164c355 #​8951 tar@7.5.7
• a74a19c #​8951 node-gyp@12.2.0
• e0bc212 #​8943 pacote@21.1.0

Chores

• 4a82a8f #​8951 dev dependency updates (@​wraithgar)
• workspace: @npmcli/arborist@9.2.0
• workspace: @npmcli/config@10.6.0
• workspace: libnpmdiff@8.1.0
• workspace: libnpmexec@10.2.0
• workspace: libnpmfund@7.0.14
• workspace: libnpmpack@9.1.0

v11.8.0

Compare Source

Features

• 545e861 #​8828 show proxy environment variables in npm config list (Max Black)

Bug Fixes

• c2f784d #​8859 preserve serialNumber UUID in CycloneDX SBOM output #​8837 (#​8859) (@​saksham-malhotra-27)
• f2c3af7 #​8840 more intuitive byte formatting boundaries for rounding (#​8840) (@​watilde)

Documentation

• 3474ec3 #​8866 fix typo/logic error in npm-dedupe docs (#​8866) (@​Schweinepriester)
• 5552e46 #​8797 npm-install: explain package-lock.json behavior (#​8797) (@​MaxBlack-dev, Max Black)

Dependencies

• f478ca0 #​8919 postcss-selector-parser@7.1.1
• 2b6a71f #​8919 path-scurry@2.0.1
• 19096f2 #​8919 sigstore@4.1.0
• e7f5d1e #​8919 lru-cache@11.2.4
• 9e756ae #​8919 ip-address@10.1.0
• f951820 #​8919 common-ancestor-path@2.0.0
• 7a949ad #​8919 @sigstore/verify@3.1.0
• 6979ce1 #​8919 @sigstore/sign@4.1.0
• b4a6a41 #​8919 @sigstore/core@3.1.0
• dc8a8e8 #​8919 @sigstore/tuf@4.0.1
• be221ea #​8919 validate-npm-package-name@7.0.2
• 149823d #​8919 diff@8.0.3
• 32b2001 #​8919 tar@7.5.4

Chores

• 8f599df #​8919 pin jsdom to 27.0.0 (@​wraithgar)
• f4f1161 #​8919 dev dependency updates (@​wraithgar)
• workspace: @npmcli/arborist@9.1.10
• workspace: @npmcli/config@10.5.0
• workspace: libnpmdiff@8.0.13
• workspace: libnpmexec@10.1.12
• workspace: libnpmfund@7.0.13
• workspace: libnpmpack@9.0.13

v11.7.0

Compare Source

Features

• b380d15 #​8697 add deduping to notices unless in verbose+ mode (@​owlstronaut)

Bug Fixes

• 4ebb831 #​8839 updates hints to use cli paradigm (@​owlstronaut)
• 7896e51 #​8838 update the token list text (@​owlstronaut)
• 8ab8668 #​8836 query: support package-lock-only in workspaces (@​watilde)
• 35e8d38 #​8322 properly handle newlines with input when using the spinner (#​8322) (@​mbtools)
• 0c0faae #​8780 adduser: improve email prompt (#​8780) (@​mbtools)

Documentation

• 7f2ab9d #​8810 scripts: replace deprecated prepublish and install examples with prepare (Max Black)
• 91ebab7 #​8847 remove note about token create being disabled (@​owlstronaut)
• 2030250 #​8822 scripts: clarify prepare script runs with --production (Max Black)
• 33a50d7 #​8821 scripts: update npm_package_* environment variables documentation (Max Black)
• 50508f9 #​8793 package-json: add documentation for type field (#​8793) (@​MaxBlack-dev, Max Black)
• aa1dd7e #​8823 scripts: document that prepare scripts run concurrently in workspaces (Max Black)
• 3f48487 #​8820 package-spec: fix alias syntax in examples (Max Black)
• dd104da #​8812 version: add note about git version requirements (Max Black)
• 58afdcc #​8792 install: clarify prerelease version range behavior (Max Black)
• 9f818e8 #​8795 npm-view: clarify object property access syntax and provide examples (Max Black)
• 39c2f2e #​8791 add examples for command line flags including --prefix (Max Black)
• 1298530 #​8790 clarify version field can be omitted in package-lock (Max Black)
• 090b6ca #​8794 npx: clarify that arguments are passed to executed command (Max Black)
• a864f80 #​8787 document gypfile field in package.json (Max Black)
• 2fc689d #​8788 add field access patterns to npm view (Max Black)
• 4850639 #​8796 package-json: add examples for replacing dependencies with forks in overrides (Max Black)
• 4864dd4 #​8798 npm-install: document engines field priority when installing packages (Max Black)
• 95d25cd #​8799 package-json: clarify repository field normalization during publish (Max Black)
• a367f9b #​8800 package-lock-json: clarify that version field may be omitted for certain dependencies (Max Black)
• ffc9b71 #​8801 npm-install: clarify --tag does not override package.json (#​8801) (@​MaxBlack-dev, Max Black)
• 73688ca #​8735 clarify npm version behavior with prerelease versions (#​8735) (@​yashwantbezawada)
• 4a32606 #​8785 updates the token create documentation (#​8785) (@​owlstronaut, @​wraithgar)

Chores

• 54929ce #​8836 update baseline-browser-mapping (@​watilde)

Dependencies

• workspace: @npmcli/arborist@9.1.9
• workspace: @npmcli/config@10.4.5
• workspace: libnpmdiff@8.0.12
• workspace: libnpmexec@10.1.11
• workspace: libnpmfund@7.0.12
• workspace: libnpmpack@9.0.12

v11.6.4

Compare Source

Documentation

• dfb83c7 #​8749 add example for keywords field (#​8749) (@​MaxBlack-dev, Max Black)
• 1b1e227 #​8750 remove outdated roadmap link (#​8750) (@​MaxBlack-dev, Max Black)
• 1333d57 #​8752 clarify .npmrc naming convention for environment variable overrides (#​8752) (@​MaxBlack-dev)
• 22cddb8 #​8755 add workspace dependencies example to workspaces (Max Black)
• 17e154c #​8756 standardize env vars to uppercase convention (Max Black)
• 1e51a25 #​8754 fix lifecycle event order for prepare script (Max Black)
• 8d72bc9 #​8753 add os, cpu, and funding fields to package-lock.json (Max Black)

Dependencies

• f56bb13 #​8779 proc-log@6.1.0 (#​8779)
• f963223 #​8770 proggy@4.0.0
• f51e4aa #​8770 nopt@9.0.0
• 2d15040 #​8770 @npmcli/query@5.0.0
• 9d77b84 #​8770 @npmcli/installed-package-contents@4.0.0
• e2ac092 #​8770 read@5.0.1
• 6e5bfd9 #​8770 init-package-json@8.2.4
• 7f8e237 #​8770 p-map@7.0.4
• a4aa218 #​8770 npm-user-validate@4.0.0
• 6430446 #​8770 npm-audit-report@7.0.0
• 58650dc #​8770 @npmcli/fs@5.0.0
• 4a11146 #​8770 glob@13.0.0
• 00511d4 #​8770 @npmcli/cacache@20.0.3
• 224afa2 #​8770 @npmcli/map-workspaces@5.0.3
• 664ac34 #​8770 @npmcli/package-json@7.0.4
• workspace: @npmcli/arborist@9.1.8
• workspace: @npmcli/config@10.4.4
• workspace: libnpmdiff@8.0.11
• workspace: libnpmexec@10.1.10
• workspace: libnpmfund@7.0.11
• workspace: libnpmpack@9.0.11

v11.6.3

Compare Source

Bug Fixes

• c6242d9 #​8706 change npm profile to create tokens with GAT support (#​8706) (@​owlstronaut, @​wraithgar)
• cbc6fa9 #​8731 order of version information in error message (#​8731) (@​piotrd, @​pd-be)
• 11dbd7e #​8709 display full token when creating authentication tokens (#​8709) (@​MaxBlack-dev, Max Black)
• 49a4eef #​8676 use look behind regex for trailing slash stripping (#​8676) (@​wraithgar)
• b1aee62 #​8645 dep flag calculation (#​8645) (@​liamcmitchell)

Documentation

• ca53c21 #​8745 add workspace usage examples (#​8745) (@​MaxBlack-dev, Max Black)
• e71ca0e #​8746 add --save flag to documentation (#​8746) (@​MaxBlack-dev, Max Black)
• 06510a8 #​8683 add ignore-scripts option to npm version help and docs (#​8683) (@​Tejas242)

Dependencies

• 7f72238 #​8723 cacache@20.0.2
• 7ac9db8 #​8723 init-package-json@8.2.3
• 41e97c6 #​8723 validate-npm-package-name@7.0.0
• 6b1fbe1 #​8723 npm-package-arg@13.0.2
• aa1d486 #​8723 @npmcli/promise-spawn@9.0.1
• 599c819 #​8723 which@6.0.0
• e49286e #​8723 ini@5.0.0
• b7c9f96 #​8723 @npmcli/promise-spawn@9.0.0
• 8cc9f70 #​8723 ssri@13.0.0
• 0b7274f #​8723 pacote@21.0.4
• 59b3c6a #​8723 @npmcli/redact@4.0.0
• 578abad #​8723 node-gyp@12.1.0
• 89c4151 #​8723 @npmcli/git@7.0.1
• c6d109d #​8723 make-fetch-happen@15.0.3
• 34d8599 #​8723 npm-registry-fetch@19.1.1
• 4811a86 #​8723 @npmcli/run-script@10.0.3
• 6cb77df #​8723 @npmcli/installed-package-contents@4.0.0
• 05ac7a7 #​8723 proc-log@6.0.0
• 0a74f6d #​8723 bin-links@6.0.0
• c02ce5c #​8723 @npmcli/package-json@7.0.2
• 9c0cefa #​8723 json-parse-even-better-errors@5.0.0
• 041b9b2 #​8723 parse-conflict-json@5.0.1
• a1b0fea #​8723 @npmcli/name-from-folder@4.0.0
• a085745 #​8723 abbrev@4.0.0
• 00d9c7d #​8723 nopt@9.0.0
• 3404dca #​8723 npm-install-checks@8.0.0
• 542fcf3 #​8723 @npmcli/node-gyp@5.0.0
• 89e14d3 #​8723 tar@7.5.2
• 5383f3a #​8723 npm-registry-fetch@19.1.0
• 1bb9a7d #​8723 npm-profile@12.0.1
• de619a4 #​8723 npm-pick-manifest@11.0.3
• 0e042ec #​8723 npm-packlist@10.0.3
• 2a3c338 #​8723 node-gyp@11.5.0
• b96e86c #​8723 minimatch@10.1.1
• d347329 #​8723 exponential-backoff@3.1.3
• d6830f4 #​8723 @npmcli/run-script@10.0.2
• bcc7ec8 #​8723 @npmcli/metavuln-calculator@9.0.3
• 7a419df #​8723 @npmcli/map-workspaces@5.0.1

Chores

• 32bdd83 #​8723 fix package-lock (@​wraithgar)
• 4bff14b #​8670 write tarball to testDir (#​8670) (@​wraithgar)
• 679486b #​8672 fix lockfile (#​8672) (@​wraithgar)
• workspace: @npmcli/arborist@9.1.7
• workspace: @npmcli/config@10.4.3
• workspace: libnpmdiff@8.0.10
• workspace: libnpmexec@10.1.9
• workspace: libnpmfund@7.0.10
• workspace: libnpmpack@9.0.10
• workspace: libnpmpublish@11.1.3
• workspace: libnpmversion@8.0.3

v11.6.2

Compare Source

Bug Fixes

• c54d1e9 #​8633 progress bar code cleanup (#​8633) (@​wraithgar)
• d352e27 #​8629 do not redact notice logs going to stdout (#​8629) (@​wraithgar)
• 5ac3678 #​8617 spelling in ./lib and ./test/lib (#​8617) (@​jsoref)
• 9197995 #​8619 spelling (#​8619) (@​jsoref)
• dd884e3 #​8618 spelling (#​8618) (@​jsoref)
• f6028e6 #​8614 skip redacting urls meant for opening by the user (#​8614) (@​wraithgar, @​jolyndenning)
• 54fd27f #​8602 refactor node.ideallyInert to node.inert (#​8602) (@​liamcmitchell)
• 79e3c1e #​8593 use @​npmcli/package-json to normalize package data (@​wraithgar)

Documentation

• 0469c5e #​8639 rewrap markdown (#​8639) (@​jsoref)
• 9ceb9c1 #​8636 rewrap markdown (#​8636) (@​jsoref)
• 6324370 #​8616 fix spelling (#​8616) (@​jsoref)
• 1b0429a #​8607 Fix spelling (#​8607) (@​jsoref)
• 7fbe07a #​8603 clean up deprecated npm access commands (#​8603) (@​jsoref)

Dependencies

• fa7cc6f #​8662 ci-info@4.3.1 (#​8662)
• b05461b #​8663 @sigstore/sign@4.0.1 (#​8663)
• c31de22 #​8661 downgrade ci-info to 4.3.0 (#​8661) (@​wraithgar)
• c5191b5 #​8659 ci-info@4.3.1
• f255c92 #​8659 hosted-git-info@9.0.2
• bdaf323 #​8659 is-cidr@6.0.1
• a33f106 #​8659 lru-cache@11.2.2
• 8044e07 #​8659 npm-package-arg@13.0.1
• f577504 #​8659 npm-packlist@10.0.2
• 9aa4fa6 #​8659 semver@7.7.3
• fe9484a #​8593 remove normalize-package-data

Chores

• b3409f4 #​8659 dev dependency updates (@​wraithgar)
• e8de81b #​8643 Add automatically generated annotation to dependencies.md (#​8643) (@​jsoref)
• 67cfaf3 #​8627 fix spelling: different (#​8627) (@​jsoref)
• 17ddc0d #​8622 fix spelling (#​8622) (@​jsoref)
• c3e1790 #​8605 Remove reference to nonexistent calendar (#​8605) (@​jsoref)
• ac9143e #​8604 Improve link accessibility for screen reader users (#​8604) (@​jsoref)
• 62d73e7 #​8601 remove references to benchmarks workflow (#​8601) (@​jsoref)
• bb4b739 #​8598 remove stale comment (#​8598) (@​jsoref)
• f73e65d #​8592 fix build url code for remark-github@​12 (#​8592) (@​wraithgar)
• workspace: @npmcli/arborist@9.1.6
• workspace: @npmcli/config@10.4.2
• workspace: libnpmaccess@10.0.3
• workspace: libnpmdiff@8.0.9
• workspace: libnpmexec@10.1.8
• workspace: libnpmfund@7.0.9
• workspace: libnpmpack@9.0.9
• workspace: libnpmpublish@11.1.2

v11.6.1

Compare Source

Bug Fixes

• d389614 #​8579 corrects peer dependency flag propagation (@​owlstronaut)
• 5db81c3 #​8512 allow concurrent non-local npx calls (#​8512) (@​jenseng, @​wraithgar)

Documentation

• 7a09902 #​8582 bring back certfile (#​8582) (@​jenseng)

Dependencies

• 849dcb6 #​8589 tar@7.5.1 (#​8589)
• ea15731 #​8576 binary-extensions@3.1.0
• 0f41bac #​8576 tiny-relative-date@2.0.2
• 07bf540 #​8576 is-cidr@6.0.0
• ef87ec6 #​8576 diff@8.0.2
• 48285e0 #​8576 add fdir, isexe, and picomatch to node_modules
• 099238a #​8576 fdir@6.5.0
• 6e4d673 #​8576 isexe@3.1.1
• 09a7494 #​8576 supports-color@10.2.2
• c5157c9 #​8576 chalk@5.6.2
• 46035db #​8576 debug@4.4.3
• 5f6664b #​8576 spdx-license-ids@3.0.22
• 5516583 #​8576 socks@2.8.7
• 6a392f3 #​8576 tinyglobby@0.2.15
• 9519f18 #​8576 npm-install-checks@7.1.2
• 34bafd1 #​8576 node-gyp@11.4.2
• dfd034e #​8576 @npmcli/promise-spawn@8.0.3
• d4eef14 #​8576 rimraf@6.0.1
• 566f1b7 #​8576 minimatch@10.0.3
• ac33497 #​8576 mkdirp@3.0.1
• 1676626 #​8576 glob@11.0.3
• 817f0b1 #​8576 ignore-walk@8.0.0
• 79a4e67 #​8576 minizlib@3.0.2
• 38fa2c2 #​8576 negotiator@1.0.0
• 24252a1 #​8576 @npmcli/agent@4.0.0
• ea7ca5f #​8576 lru-cache@11.2.1
• 521823b #​8576 @npmcli/git@7.0.0
• bf6b686 #​8576 npm-package-arg@13.0.0
• 9392488 #​8576 npm-package-manifest@11.0.1
• 0082083 #​8576 normalize-package-data@8.0.0
• 633c4ed #​8576 hosted-git-info@9.0.0
• 66f64eb #​8576 make-fetch-happen@15.0.2
• 1f85f94 #​8576 @sigstore/tuf@4.0.0
• a2bdecc #​8576 sigstore@4.0.0
• 1149971 #​8576 npm-registry-fetch@19.0.0
• b5bd5e3 #​8576 npm-profile@12.0.0
• 6221e27 #​8576 @npmcli/metavuln-calculator@9.0.2
• da81a37 #​8576 cacache@20.0.1
• 6b4c5f9 #​8576 @npmcli/run-script@10.0.0
• cb36a8a #​8576 init-package-json@8.2.2
• b6bb9ae #​8576 pacote@21.0.3
• 1b4433f #​8576 @npmcli/map-workspaces@5.0.0
• ceae674 #​8576 @npmcli/package-json@7.0.1
• 4f37534 #​8576 remove read-package-json-fast

Chores

• 7eb5c09 #​8576 update package-lock with peer flag fixes (@​wraithgar)
• 0d00fd8 #​8576 jsdom@27.0.0 (@​wraithgar)
• [420a569](https://redirect.github.com/npm/cli/commit/420a569762e65b50d1

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.