chore(deps): update npm to v11.9.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
npm (source)	11.6.4 → 11.9.0

---

npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability

CVE-2026-0775 / GHSA-3966-f6p6-2qr9

More information

Details

npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user.

Severity

• CVSS Score: 7.0 / 10 (High)
• Vector String: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-0775
• https://github.com/npm/cli/issues/8939
• https://github.com/npm/cli
• https://www.zerodayinitiative.com/advisories/ZDI-26-043

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

npm/cli (npm)

v11.9.0

Compare Source

Features

• f5f6cf7 #​8943 config: add --allow-git (@​wraithgar)

Bug Fixes

• 2242f25 #​8952 webauth: improve error messages around webauth in non-TTY (#​8952) (@​Andarist)

Dependencies

• 332c9f3 #​8960 glob@13.0.1
• eca02c7 #​8960 minimatch@10.1.2 @isaacs/brace-expansion@5.0.1
• b3f8475 #​8951 minipass-fetch@5.0.1
• 924171b #​8951 is-cidr@6.0.2
• 4404002 #​8951 ci-info@4.4.0
• b65af73 #​8951 lru-cache@11.2.5
• 164c355 #​8951 tar@7.5.7
• a74a19c #​8951 node-gyp@12.2.0
• e0bc212 #​8943 pacote@21.1.0

Chores

• 4a82a8f #​8951 dev dependency updates (@​wraithgar)
• workspace: @npmcli/arborist@9.2.0
• workspace: @npmcli/config@10.6.0
• workspace: libnpmdiff@8.1.0
• workspace: libnpmexec@10.2.0
• workspace: libnpmfund@7.0.14
• workspace: libnpmpack@9.1.0

v11.8.0

Compare Source

Features

• 545e861 #​8828 show proxy environment variables in npm config list (Max Black)

Bug Fixes

• c2f784d #​8859 preserve serialNumber UUID in CycloneDX SBOM output #​8837 (#​8859) (@​saksham-malhotra-27)
• f2c3af7 #​8840 more intuitive byte formatting boundaries for rounding (#​8840) (@​watilde)

Documentation

• 3474ec3 #​8866 fix typo/logic error in npm-dedupe docs (#​8866) (@​Schweinepriester)
• 5552e46 #​8797 npm-install: explain package-lock.json behavior (#​8797) (@​MaxBlack-dev, Max Black)

Dependencies

• f478ca0 #​8919 postcss-selector-parser@7.1.1
• 2b6a71f #​8919 path-scurry@2.0.1
• 19096f2 #​8919 sigstore@4.1.0
• e7f5d1e #​8919 lru-cache@11.2.4
• 9e756ae #​8919 ip-address@10.1.0
• f951820 #​8919 common-ancestor-path@2.0.0
• 7a949ad #​8919 @sigstore/verify@3.1.0
• 6979ce1 #​8919 @sigstore/sign@4.1.0
• b4a6a41 #​8919 @sigstore/core@3.1.0
• dc8a8e8 #​8919 @sigstore/tuf@4.0.1
• be221ea #​8919 validate-npm-package-name@7.0.2
• 149823d #​8919 diff@8.0.3
• 32b2001 #​8919 tar@7.5.4

Chores

• 8f599df #​8919 pin jsdom to 27.0.0 (@​wraithgar)
• f4f1161 #​8919 dev dependency updates (@​wraithgar)
• workspace: @npmcli/arborist@9.1.10
• workspace: @npmcli/config@10.5.0
• workspace: libnpmdiff@8.0.13
• workspace: libnpmexec@10.1.12
• workspace: libnpmfund@7.0.13
• workspace: libnpmpack@9.0.13

v11.7.0

Compare Source

Features

• b380d15 #​8697 add deduping to notices unless in verbose+ mode (@​owlstronaut)

Bug Fixes

• 4ebb831 #​8839 updates hints to use cli paradigm (@​owlstronaut)
• 7896e51 #​8838 update the token list text (@​owlstronaut)
• 8ab8668 #​8836 query: support package-lock-only in workspaces (@​watilde)
• 35e8d38 #​8322 properly handle newlines with input when using the spinner (#​8322) (@​mbtools)
• 0c0faae #​8780 adduser: improve email prompt (#​8780) (@​mbtools)

Documentation

• 7f2ab9d #​8810 scripts: replace deprecated prepublish and install examples with prepare (Max Black)
• 91ebab7 #​8847 remove note about token create being disabled (@​owlstronaut)
• 2030250 #​8822 scripts: clarify prepare script runs with --production (Max Black)
• 33a50d7 #​8821 scripts: update npm_package_* environment variables documentation (Max Black)
• 50508f9 #​8793 package-json: add documentation for type field (#​8793) (@​MaxBlack-dev, Max Black)
• aa1dd7e #​8823 scripts: document that prepare scripts run concurrently in workspaces (Max Black)
• 3f48487 #​8820 package-spec: fix alias syntax in examples (Max Black)
• dd104da #​8812 version: add note about git version requirements (Max Black)
• 58afdcc #​8792 install: clarify prerelease version range behavior (Max Black)
• 9f818e8 #​8795 npm-view: clarify object property access syntax and provide examples (Max Black)
• 39c2f2e #​8791 add examples for command line flags including --prefix (Max Black)
• 1298530 #​8790 clarify version field can be omitted in package-lock (Max Black)
• 090b6ca #​8794 npx: clarify that arguments are passed to executed command (Max Black)
• a864f80 #​8787 document gypfile field in package.json (Max Black)
• 2fc689d #​8788 add field access patterns to npm view (Max Black)
• 4850639 #​8796 package-json: add examples for replacing dependencies with forks in overrides (Max Black)
• 4864dd4 #​8798 npm-install: document engines field priority when installing packages (Max Black)
• 95d25cd #​8799 package-json: clarify repository field normalization during publish (Max Black)
• a367f9b #​8800 package-lock-json: clarify that version field may be omitted for certain dependencies (Max Black)
• ffc9b71 #​8801 npm-install: clarify --tag does not override package.json (#​8801) (@​MaxBlack-dev, Max Black)
• 73688ca #​8735 clarify npm version behavior with prerelease versions (#​8735) (@​yashwantbezawada)
• 4a32606 #​8785 updates the token create documentation (#​8785) (@​owlstronaut, @​wraithgar)

Chores

• 54929ce #​8836 update baseline-browser-mapping (@​watilde)

Dependencies

• workspace: @npmcli/arborist@9.1.9
• workspace: @npmcli/config@10.4.5
• workspace: libnpmdiff@8.0.12
• workspace: libnpmexec@10.1.11
• workspace: libnpmfund@7.0.12
• workspace: libnpmpack@9.0.12

---

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Almaty, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled because a matching PR was automerged previously.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 8f059ea

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.