iframe-proxy

npm-cli-bot · 2025-09-25T16:54:59Z

11.6.1 (2025-09-23)

Bug Fixes

d389614 #8579 corrects peer dependency flag propagation (@owlstronaut)
5db81c3 #8512 allow concurrent non-local npx calls (#8512) (@jenseng, @wraithgar)

Documentation

7a09902 #8582 bring back certfile (#8582) (@jenseng)

Dependencies

849dcb6 #8589 tar@7.5.1 (#8589)
ea15731 #8576 binary-extensions@3.1.0
0f41bac #8576 tiny-relative-date@2.0.2
07bf540 #8576 is-cidr@6.0.0
ef87ec6 #8576 diff@8.0.2
48285e0 #8576 add fdir, isexe, and picomatch to node_modules
099238a #8576 fdir@6.5.0
6e4d673 #8576 isexe@3.1.1
09a7494 #8576 supports-color@10.2.2
c5157c9 #8576 chalk@5.6.2
46035db #8576 debug@4.4.3
5f6664b #8576 spdx-license-ids@3.0.22
5516583 #8576 socks@2.8.7
6a392f3 #8576 tinyglobby@0.2.15
9519f18 #8576 npm-install-checks@7.1.2
34bafd1 #8576 node-gyp@11.4.2
dfd034e #8576 @npmcli/promise-spawn@8.0.3
d4eef14 #8576 rimraf@6.0.1
566f1b7 #8576 minimatch@10.0.3
ac33497 #8576 mkdirp@3.0.1
1676626 #8576 glob@11.0.3
817f0b1 #8576 ignore-walk@8.0.0
79a4e67 #8576 minizlib@3.0.2
38fa2c2 #8576 negotiator@1.0.0
24252a1 #8576 @npmcli/agent@4.0.0
ea7ca5f #8576 lru-cache@11.2.1
521823b #8576 @npmcli/git@7.0.0
bf6b686 #8576 npm-package-arg@13.0.0
9392488 #8576 npm-package-manifest@11.0.1
0082083 #8576 normalize-package-data@8.0.0
633c4ed #8576 hosted-git-info@9.0.0
66f64eb #8576 make-fetch-happen@15.0.2
1f85f94 #8576 @sigstore/tuf@4.0.0
a2bdecc #8576 sigstore@4.0.0
1149971 #8576 npm-registry-fetch@19.0.0
b5bd5e3 #8576 npm-profile@12.0.0
6221e27 #8576 @npmcli/metavuln-calculator@9.0.2
da81a37 #8576 cacache@20.0.1
6b4c5f9 #8576 @npmcli/run-script@10.0.0
cb36a8a #8576 init-package-json@8.2.2
b6bb9ae #8576 pacote@21.0.3
1b4433f #8576 @npmcli/map-workspaces@5.0.0
ceae674 #8576 @npmcli/package-json@7.0.1
4f37534 #8576 remove read-package-json-fast

Chores

7eb5c09 #8576 update package-lock with peer flag fixes (@wraithgar)
0d00fd8 #8576 jsdom@27.0.0 (@wraithgar)
420a569 #8576 unified@11.0.5 (@wraithgar)
064deb3 #8576 remark-rehype@11.1.2 (@wraithgar)
30fe3ba #8576 remark-man@9.0.0 (@wraithgar)
1c6bb4c #8576 rehype-stringify@10.0.1 (@wraithgar)
208cb93 #8576 remark-gfm@4.0.1 (@wraithgar)
4a46b5a #8576 remark-github@12.0.0 (@wraithgar)
93d190b #8576 remark-parse@11.0.0 (@wraithgar)
05301a4 #8576 remark@15.0.1 (@wraithgar)
6afdda9 #8576 ajv-formats@3.0.1 (@wraithgar)
402a0ab #8576 @npmcli/template-oss@4.25.1 (@wraithgar)
3b43bf7 #8576 dev dependency updates (@wraithgar)
9f9146f #8576 @tufjs/repo-mock@4.0.0 (@wraithgar)
eed8a10 #8576 use latest/local arborist in mock-registry (@wraithgar)
workspace: @npmcli/arborist@9.1.5
workspace: @npmcli/config@10.4.1
workspace: libnpmaccess@10.0.2
workspace: libnpmdiff@8.0.8
workspace: libnpmexec@10.1.7
workspace: libnpmfund@7.0.8
workspace: libnpmorg@8.0.1
workspace: libnpmpack@9.0.8
workspace: libnpmpublish@11.1.1
workspace: libnpmsearch@9.0.1
workspace: libnpmteam@8.0.2
workspace: libnpmversion@8.0.2

nodejs-github-bot · 2025-09-25T16:55:06Z

github-actions · 2025-09-25T16:55:18Z

Fast-track has been requested by @nodejs-github-bot. Please 👍 to approve.

wraithgar · 2025-09-25T17:01:35Z

The main update here is getting our subdependencies updated. Most of the npmcli ones needed semver major changes to get up to the same engines declaration as npm itself. This is a follow up task to any new major npm release, but this one just took awhile.

nodejs-github-bot · 2025-09-27T16:32:29Z

CI: https://ci.nodejs.org/job/node-test-pull-request/69394/

nodejs-github-bot · 2025-09-30T21:06:32Z

CI: https://ci.nodejs.org/job/node-test-pull-request/69478/

nodejs-github-bot · 2025-10-02T21:26:54Z

CI: https://ci.nodejs.org/job/node-test-pull-request/69513/

nodejs-github-bot · 2025-10-02T22:31:00Z

Landed in 5d843c9

PR-URL: #60012 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>

ChALkeR · 2025-10-27T12:32:52Z

This introduced a tar version which could expose uninitialized memory if zero-fill is disabled in #60423

See isaacs/node-tar#445

Is affected code ever called from npm?
If yes, is returning uninitialized process memory a concern?

wraithgar · 2025-10-27T16:06:08Z

I don't believe npm does any synchronous operations with tar.

$ npm query \#tar|npx json -a _id location from
tar@7.5.1 node_modules/tar [
  "node_modules/node-gyp",
  "node_modules/pacote",
  "workspaces/libnpmdiff",
  "node_modules/node-gyp/node_modules/cacache",
  ""
]

node-gyp does an async extract

$ grep -r tar\\. node_modules/node-gyp/lib/
node_modules/node-gyp/lib/install.js:          await tar.extract({
node_modules/node-gyp/lib/install.js:              tar.extract({

pacote does an async extract and list

node_modules/pacote/lib/dir.js:      .then(files => tar.c(tarCreateOptions(this.package), files)
node_modules/pacote/lib/fetcher.js:    const extractor = tar.x(this.#tarxOptions({ cwd: dest }))

libnpmdiff does an async create and list

workspaces/libnpmdiff/lib/index.js:const untar = require('./untar.js')
workspaces/libnpmdiff/lib/tarball.js:      tar.c(tarCreateOptions(manifest), files).concat()
workspaces/libnpmdiff/lib/untar.js:  tar.list({

npm itself does an async list

lib/utils/tar.js:  const stream = tar.t({

cacache never actually used it npm/cacache#312

ChALkeR · 2025-10-28T09:51:13Z

@wraithgar Thanks! I also rechecked the usage here and it appears that the problematic codepath is indeed not used from npm

ChALkeR · 2025-10-28T10:11:28Z

deps: upgrade npm to 11.6.1

30624b9

nodejs-github-bot added fast-track PRs that do not need to wait for 72 hours to land. needs-ci PRs that need a full CI run. npm Issues and PRs related to the npm client dependency or the npm registry. labels Sep 25, 2025

richardlau added dont-land-on-v20.x PRs that should not land on the v20.x-staging branch and should not be released in v20.x. dont-land-on-v22.x PRs that should not land on the v22.x-staging branch and should not be released in v22.x. labels Sep 25, 2025

lpinca approved these changes Sep 25, 2025

View reviewed changes

targos approved these changes Sep 25, 2025

View reviewed changes

lpinca added the request-ci Add this label to start a Jenkins CI on a PR. label Sep 27, 2025

github-actions Bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Sep 27, 2025

RafaelGSS approved these changes Sep 29, 2025

View reviewed changes

aduh95 removed the fast-track PRs that do not need to wait for 72 hours to land. label Sep 30, 2025

aduh95 added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Sep 30, 2025

addaleax added the commit-queue Add this label to land a pull request using GitHub Actions. label Oct 2, 2025

nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Oct 2, 2025

nodejs-github-bot merged commit 5d843c9 into nodejs:main Oct 2, 2025
82 checks passed

targos pushed a commit that referenced this pull request Oct 6, 2025

deps: upgrade npm to 11.6.1

dc44c9f

PR-URL: #60012 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>

github-actions Bot mentioned this pull request Oct 7, 2025

2025-10-08, Version 24.10.0 (Current) #60136

Merged

This was referenced Oct 27, 2025

allocUnsafe is useless since 24 #60423

Closed

2025-10-28, Version 24.11.0 'Krypton' (LTS) #60414

Merged

ChALkeR mentioned this pull request Oct 28, 2025

[v24.x] deps: patch npm/tar to not return uninitialized mem #60430

Closed

Ankush-Pathak mentioned this pull request Nov 4, 2025

doc(npm): Add false-positive-determination for GHSA-29xp-372q-xqph wolfi-dev/advisories#25125

Merged

github-actions Bot mentioned this pull request Jan 3, 2026

chore(nix): update flake.lock (act, actionlint, awscli2 +25 more) i9wa4/dotfiles#79

Closed

Sunbelt Computer Software

PL/B Language Development and Support

Uh oh!

Conversation

npm-cli-bot commented Sep 25, 2025

11.6.1 (2025-09-23)

Bug Fixes

Documentation

Dependencies

Chores

Uh oh!

nodejs-github-bot commented Sep 25, 2025

Uh oh!

github-actions Bot commented Sep 25, 2025

Uh oh!

wraithgar commented Sep 25, 2025

Uh oh!

nodejs-github-bot commented Sep 27, 2025

Uh oh!

nodejs-github-bot commented Sep 30, 2025

Uh oh!

nodejs-github-bot commented Oct 2, 2025

Uh oh!

Uh oh!

nodejs-github-bot commented Oct 2, 2025

Uh oh!

ChALkeR commented Oct 27, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

wraithgar commented Oct 27, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ChALkeR commented Oct 28, 2025

Uh oh!

ChALkeR commented Oct 28, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

10 participants

ChALkeR commented Oct 27, 2025 •

edited

Loading

wraithgar commented Oct 27, 2025 •

edited

Loading

ChALkeR commented Oct 28, 2025 •

edited

Loading