chore: release 11.18.0

[github-actions]

🤖 I have created a release beep boop

11.18.0

11.18.0 (2026-06-24)

Features

• fc9d4c7 #9635 namespace install-script approval commands under npm install-scripts (feat: namespace install-script approval commands under npm install-scripts #9635) (@manzoorwanijk)
• 073253f #9564 warn when min-release-age blocks an audit fix (feat: warn when min-release-age blocks an audit fix #9564) (@github-actions[bot], @JamieMagee)

Bug Fixes

• ae64f88 #9648 exec: resolve workspace-local bin under the linked install strategy (fix(exec): resolve workspace-local bin under the linked install strategy #9648) (@github-actions[bot], @manzoorwanijk)
• 784cbe9 #9636 ls: restore 100% coverage on release/v11 after fix(arborist): don't load store packages' devDependencies as required edges #9633 (fix(ls): restore 100% coverage on release/v11 after #9633 #9636) (@manzoorwanijk)
• 70f0ea5 #9607 approve-scripts: approve deps with no resolved URL by name (fix(approve-scripts): approve deps with no resolved URL by name #9607) (@github-actions[bot], @JamieMagee)
• b2e6338 #9602 arborist: don't flag inert optional deps in strict-allow-scripts (fix(arborist): don't flag inert optional deps in strict-allow-scripts #9602) (@github-actions[bot], @JamieMagee)
• 6ad5715 #9595 link: scope npm link <path> --workspace to the workspace, not the root (fix(link): scope npm link <path> --workspace to the workspace, not the root #9595) (@github-actions[bot], @manzoorwanijk)

Dependencies

• 804f9ba #9580 npm-profile@12.0.2

Chores

• a04cd84 #9584 add web-login proxy doneUrl regression for npm-profile fix (chore: add web-login proxy doneUrl regression for npm-profile fix #9584) (@github-actions[bot], @manzoorwanijk)
• workspace: @npmcli/arborist@9.9.0
• workspace: @npmcli/config@10.12.0
• workspace: libnpmdiff@8.1.11
• workspace: libnpmexec@10.3.1
• workspace: libnpmfund@7.0.25
• workspace: libnpmpack@9.1.11

arborist: 9.9.0

9.9.0 (2026-06-24)

Features

• 073253f #9564 warn when min-release-age blocks an audit fix (feat: warn when min-release-age blocks an audit fix #9564) (@github-actions[bot], @JamieMagee)

Bug Fixes

• 4c9eacb #9649 arborist: clean up stale .store and hoisted dirs on strategy switch (fix(arborist): clean up stale .store and hoisted dirs on strategy switch #9649) (@github-actions[bot], @manzoorwanijk)
• d2c680e #9645 arborist: invalid filterNode crash under the linked strategy (fix(arborist): invalid filterNode crash under the linked strategy #9645) (@github-actions[bot], @manzoorwanijk)
• 4e40b1c #9644 arborist: repair wrong-but-existing symlink target in linked strategy (fix(arborist): repair wrong-but-existing symlink target in linked strategy #9644) (@github-actions[bot], @manzoorwanijk)
• 9d1774e #9643 arborist: remove stale .bin shims after uninstall under linked (fix(arborist): remove stale .bin shims after uninstall under linked #9643) (@github-actions[bot], @manzoorwanijk)
• ed37d24 #9642 arborist: record the linked .store layout in the hidden lockfile (backport fix(arborist): record the linked .store layout in the hidden lockfile #9630) (fix(arborist): record the linked .store layout in the hidden lockfile (backport #9630) #9642) (@manzoorwanijk)
• e601d4a #9641 arborist: validate peerOptional conflicts in no-save mutations (fix(arborist): validate peerOptional conflicts in no-save mutations #9641) (@owlstronaut, @dale-lakes, @dale-lakes)
• 03cee43 #9638 arborist: fix audit-report determinism due to dropped via links (fix(arborist): fix audit-report determinism due to dropped via links #9638) (@github-actions[bot], @arjun-vegeta)
• a30d855 #9633 arborist: don't load store packages' devDependencies as required edges (fix(arborist): don't load store packages' devDependencies as required edges #9633) (@manzoorwanijk)
• 887ca97 #9631 arborist: audit the non-isolated tree under the linked strategy (fix(arborist): audit the non-isolated tree under the linked strategy #9631) (@github-actions[bot], @manzoorwanijk)
• b2e6338 #9602 arborist: don't flag inert optional deps in strict-allow-scripts (fix(arborist): don't flag inert optional deps in strict-allow-scripts #9602) (@github-actions[bot], @JamieMagee)
• 390ebfa #9593 arborist: symlink workspace file: deps on non-workspace local packages (fix(arborist): symlink workspace file: deps on non-workspace local packages #9593) (@github-actions[bot], @manzoorwanijk)
• aaeb2f1 #9578 arborist: expose store node_modules via NODE_PATH for linked-strategy install scripts (fix: expose store node_modules via NODE_PATH for linked-strategy install scripts #9578) (@github-actions[bot], @manzoorwanijk)
• 05b6f0f #9577 arborist: allow-remote exemption for proxy/mirror-fronted registry tarballs (fix(arborist): allow-remote exemption for proxy/mirror-fronted registry tarballs #9577) (@github-actions[bot], @manzoorwanijk)

config: 10.12.0

10.12.0 (2026-06-24)

Features

• 073253f #9564 warn when min-release-age blocks an audit fix (feat: warn when min-release-age blocks an audit fix #9564) (@github-actions[bot], @JamieMagee)

Bug Fixes

• b2e6338 #9602 arborist: don't flag inert optional deps in strict-allow-scripts (fix(arborist): don't flag inert optional deps in strict-allow-scripts #9602) (@github-actions[bot], @JamieMagee)

libnpmdiff: 8.1.11

Dependencies

• workspace: @npmcli/arborist@9.9.0

libnpmexec: 10.3.1

10.3.1 (2026-06-24)

Bug Fixes

• b2e6338 #9602 arborist: don't flag inert optional deps in strict-allow-scripts (fix(arborist): don't flag inert optional deps in strict-allow-scripts #9602) (@github-actions[bot], @JamieMagee)

Dependencies

• workspace: @npmcli/arborist@9.9.0

libnpmfund: 7.0.25

Dependencies

• workspace: @npmcli/arborist@9.9.0

libnpmpack: 9.1.11

Dependencies

• workspace: @npmcli/arborist@9.9.0

---

This PR was generated with Release Please. See documentation.

[github-actions]

Release Manager

Release workflow run: https://github.com/npm/cli/actions/runs/28126462548

Release Checklist for v11.18.0

• 1. Checkout the release branch

  Ensure git status is not dirty on this branch after resetting deps. If it is, then something is probably wrong with the automated release process.

  gh pr checkout 9565 --force

  npm run resetdeps

  node scripts/git-dirty.js

• 2. Check CI status

  gh pr checks --watch

• 3. Log in to npm

  npm login sessions are short lived, so you will want to have a fresh one before you publish.

  npm login

• 4. Publish the CLI and workspaces

  Warning:
  This will publish all updated workspaces to latest, prerelease or backport depending on their version, and will publish the CLI with the dist-tag set to next-11.

  Note:
  The --test argument can optionally be omitted to run the publish process without running any tests locally.

  node scripts/publish.js --test

• 5. Optionally install and test npm@11.18.0 locally

  npm i -g npm@11.18.0

  npm --version
  npm whoami
  npm help install
  # etc

• 6. Set latest dist-tag to newly published version

  Warning:
  NOT FOR PRERELEASE: Do not run this step for prereleases or if 11 is not being set to latest.

  node . dist-tag add npm@11.18.0 latest

• 7. Trigger docs.npmjs.com update

  gh workflow run update-cli.yml --repo npm/documentation

• 8. Approve and Merge release PR

  gh pr review --approve

  gh pr merge --rebase

  git checkout release/v11

  git fetch

  git reset --hard origin/release/v11

  node . run resetdeps

• 9. Wait For Release Tags

  Warning:
  The remaining steps all require the GitHub tags and releases to be created first. These are done once this PR has been labelled with autorelease: tagged.

  Release Please will run on the just merged release commit and create GitHub releases and tags for each package. The release bot will will comment on this PR when the releases and tags are created.

  Note:
  The release workflow also includes the Node integration tests which do not need to finish before continuing.

  You can watch the release workflow in your terminal with the following command:

  gh run watch `gh run list -R npm/cli -w release -b release/v11 -L 1 --json databaseId -q ".[0].databaseId"`
  

• 10. Mark GitHub Release as latest

  Warning:
  You must wait for CI to create the release tags before running this step. These are done once this PR has been labelled with autorelease: tagged.

  Release Please will make GitHub Releases for the CLI and all workspaces, but GitHub has UI affordances for which release should appear as the "latest", which should always be the CLI. To mark the CLI release as latest run this command:

  gh release -R npm/cli edit v11.18.0 --latest

• 11. Open nodejs/node PR to update npm

  Warning:
  You must wait for CI to create the release tags before running this step. These are done once this PR has been labelled with autorelease: tagged.

  Trigger the Create Node PR action. This will open a PR on nodejs/node to the main branch.

  First, sync our fork of node with the upstream source:

  gh repo sync npm/node --source nodejs/node --force

  Then, if we are opening a PR against the latest version of node:

  gh workflow run create-node-pr.yml -R npm/cli -f spec=next-11

  For backport releases, you must target the correct Node branch using -f branch=<NODE_MAJOR>. Make sure you are targeting the right Node major version for this npm version.

  For example, this will create a PR on nodejs/node to the v16.x-staging branch:

  gh workflow run create-node-pr.yml -R npm/cli -f spec=next-11 -f branch=16

• 12. Label and fast-track nodejs/node PR

  Note:
  This requires being a nodejs collaborator. This could be you!

  • Thumbs-up reaction on the Fast-track comment
  • Add an LGTM / Approval
  • Add request-ci label to get it running CI
  • Add commit-queue label once everything is green
  • For backport releases, comment on the PR asking the Node.js team to add dont-land-on-v<NODE_MAJOR> labels for Node versions where this npm version should not be included

[manzoorwanijk]

@owlstronaut #9633 seems to have broken the coverage

[manzoorwanijk]

I will try creating a PR to fix the coverage to unblock #9635

[manzoorwanijk]

#9636 should restore the coverage.