anhy999 · pull · Mar 16, 2026 · Mar 17, 2026 · Mar 17, 2026 · Mar 18, 2026
diff --git a/.commitlintrc.js b/.commitlintrc.js
@@ -0,0 +1,12 @@
+/* This file is automatically added by @npmcli/template-oss. Do not edit. */
+
+module.exports = {
+  extends: ['@commitlint/config-conventional'],
+  rules: {
+    'type-enum': [2, 'always', ['feat', 'fix', 'docs', 'deps', 'chore']],
+    'header-max-length': [2, 'always', 80],
+    'subject-case': [0],
+    'body-max-line-length': [0],
+    'footer-max-line-length': [0],
+  },
+}
diff --git a/.eslintrc.js b/.eslintrc.js
@@ -1,3 +1,7 @@
+/* This file is automatically added by @npmcli/template-oss. Do not edit. */
+
+'use strict'
+
 const { readdirSync: readdir } = require('fs')
 
 const localConfigs = readdir(__dirname)
@@ -6,6 +10,16 @@ const localConfigs = readdir(__dirname)
 
 module.exports = {
   root: true,
+  ignorePatterns: [
+    'tap-testdir*/',
+    '/node_modules/.bin/',
+    '/node_modules/.cache/',
+    'docs/**',
+    'smoke-tests/**',
+    'mock-globals/**',
+    'mock-registry/**',
+    'workspaces/**',
+  ],
   extends: [
     '@npmcli',
     ...localConfigs,

diff --git a/.eslintrc.local.js b/.eslintrc.local.js
@@ -0,0 +1,37 @@
+const { resolve, relative } = require('path')
+
+// Create an override to lockdown a file to es6 syntax only
+// and only allow it to require an allowlist of files
+const rel = (p) => relative(__dirname, resolve(__dirname, p))
+const braces = (a) => a.length > 1 ? `{${a.map(rel).join(',')}}` : a[0]
+
+const es6Files = (e) => Object.entries(e).map(([file, allow]) => ({
+  files: `./${rel(file)}`,
+  parserOptions: {
+    ecmaVersion: 6,
+  },
+  rules: Array.isArray(allow) ? {
+    'node/no-restricted-require': ['error', [{
+      name: ['/**', `!${__dirname}/${braces(allow)}`],
+      message: `This file can only require: ${allow.join(',')}`,
+    }]],
+  } : {},
+}))
+
+module.exports = {
+  rules: {
+    'no-console': 'error',
+  },
+  overrides: es6Files({
+    'index.js': ['lib/cli.js'],
+    'bin/npm-cli.js': ['lib/cli.js'],
+    'lib/cli.js': ['lib/cli/validate-engines.js'],
+    'lib/cli/validate-engines.js': ['package.json'],
+    // TODO: This file should also have its requires restricted as well since it
+    // is an entry point but it currently pulls in config definitions which have
+    // a large require graph, so that is not currently feasible. A future config
+    // refactor should keep that in mind and see if only config definitions can
+    // be exported in a way that is compatible with ES6.
+    'bin/npx-cli.js': null,
+  }),
+}
diff --git a/.eslintrc.local.json b/.eslintrc.local.json
diff --git a/.gitattributes b/.gitattributes
@@ -1,2 +1,29 @@
-/node_modules/**    linguist-generated=false
-/package-lock.json  linguist-generated=false
+# normalize all line endings by default
+* text=auto
+
+# our shell/bin scripts always need to be LF
+/bin/* text eol=lf
+/workspaces/arborist/bin/index.js text eol=lf
+/configure text eol=lf
+
+# our cmd scripts always need to be CRLF
+/bin/**/*.cmd text eol=crlf
+
+# ignore all line endings in node_modules since we dont control that
+/node_modules/** -text
+
+# the files we write should be LF so they can be generated cross platform
+/node_modules/.gitignore text eol=lf
+/workspaces/arborist/test/fixtures/.gitignore text eol=lf
+/DEPENDENCIES.md text eol=lf
+/DEPENDENCIES.json text eol=lf
+/AUTHORS text eol=lf
+/docs/lib/content/nav.yml text eol=lf
+
+# fixture tarballs should be treated as binary
+/workspaces/*/test/fixtures/**/*.tgz binary
+
+# these hint to GitHub to show these files as not generated so they default to
+# showing the full diff in pull requests
+/node_modules/** linguist-generated=false
+/package-lock.json linguist-generated=false
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1 +1,3 @@
-*	@npm/cli-team
+# This file is automatically added by @npmcli/template-oss. Do not edit.
+
+* @npm/cli-team @npm/cli-triage
diff --git a/.github/ISSUE_TEMPLATE/bug.yml b/.github/ISSUE_TEMPLATE/bug.yml
@@ -0,0 +1,70 @@
+name: 🐞 Bug
+description: File a bug/issue against the latest version of npm
+title: "[BUG] <title>"
+labels: [Bug, Needs Triage]
+body:
+- type: checkboxes
+  attributes:
+    label: Is there an existing issue for this?
+    description: Please [search here](https://github.com/npm/cli/issues) to see if an issue already exists for your problem.
+    options:
+    - label: I have searched the existing issues
+      required: true
+- type: checkboxes
+  attributes:
+    label: This issue exists in the latest npm version
+    description: Please make sure you have installed the latest npm and verified it is still an issue.
+    options:
+    - label: I am using the latest npm
+      required: true
+- type: checkboxes
+  attributes:
+    label: This is not just a request to bump a dependency for a CVE
+    description: npm bundles its dependencies and updates them on a regular cadence, so CVEs in our bundled dependencies are picked up automatically. Issues opened solely to request a dependency bump for a CVE will be closed. To report an actual vulnerability in npm, please follow our [security policy](https://github.com/npm/cli/blob/latest/SECURITY.md) instead.
+    options:
+    - label: This is not solely a request to bump a dependency for a CVE
+      required: true
+- type: textarea
+  attributes:
+    label: Current Behavior
+    description: A clear & concise description of what you're experiencing.
+  validations:
+    required: false
+- type: textarea
+  attributes:
+    label: Expected Behavior
+    description: A clear & concise description of what you expected to happen.
+  validations:
+    required: false
+- type: textarea
+  attributes:
+    label: Steps To Reproduce
+    description: Steps to reproduce the behavior.
+    value: |
+      1. In this environment...
+      2. With this config...
+      3. Run '...'
+      4. See error...
+  validations:
+    required: false
+- type: textarea
+  attributes:
+    label: Environment
+    description: |
+      examples:
+        - **`npm -v`**: **npm**: 10.0.0
+        - **`node -v`**: **Node.js**: 18.0.0
+        - **OS Name**: Ubuntu 20.04
+        - **System Model Name**: Macbook Pro
+        - **`npm config ls`**: `; "user" config from ...`
+    value: |
+        - npm:
+        - Node.js:
+        - OS Name:
+        - System Model Name:
+        - npm config:
+        ```ini
+        ; copy and paste output from `npm config ls` here
+        ```
+  validations:
+    required: false
diff --git a/.github/ISSUE_TEMPLATE/bug_8.yml b/.github/ISSUE_TEMPLATE/bug_8.yml
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,10 +1,13 @@
 blank_issues_enabled: true
 contact_links:
+  - name: 🔒 Dependency CVE / security advisory in a bundled dependency
+    url: https://github.com/npm/cli/blob/latest/SECURITY.md
+    about: npm bundles its dependencies and updates them regularly, so CVEs in our bundled dependencies are picked up automatically. Please don't open an issue just to request a dependency bump for a CVE. To report a vulnerability in npm, see our security policy.
   - name: ❓ Help with issues in older versions of the CLI
     url: https://github.community/c/software-development/47
     about: Find/file tickets with the community
   - name: ⭐️ Feature Request
-    url: https://github.com/npm/feedback
+    url: https://github.com/orgs/community/discussions/categories/npm
     about: Add your request or discuss the project w/ the community
   - name: 📃 RFC
     url: https://github.com/npm/rfcs
@@ -18,6 +21,6 @@ contact_links:
   - name: 📫 Support
     url: https://github.community/
     about: For general support questions please open a topic over at github.community
-   - name: 🚑 Support Policy
+  - name: 🚑 Support Policy
     url: https://github.com/npm/cli/wiki/Support-Policy
     about: Information about what version(s) of the CLI we support
diff --git a/.github/actions/create-check/action.yml b/.github/actions/create-check/action.yml
@@ -0,0 +1,52 @@
+# This file is automatically added by @npmcli/template-oss. Do not edit.
+
+name: 'Create Check'
+inputs:
+  name:
+    required: true
+  token:
+    required: true
+  sha:
+    required: true
+  check-name:
+    default: ''
+outputs:
+  check-id:
+    value: ${{ steps.create-check.outputs.check_id }}
+runs:
+  using: "composite"
+  steps:
+    - name: Get Workflow Job
+      uses: actions/github-script@v7
+      id: workflow
+      env:
+        JOB_NAME: "${{ inputs.name }}"
+        SHA: "${{ inputs.sha }}"
+      with:
+        result-encoding: string
+        script: |
+          const { repo: { owner, repo}, runId, serverUrl } = context
+          const { JOB_NAME, SHA } = process.env
+
+          const job = await github.rest.actions.listJobsForWorkflowRun({
+            owner,
+            repo,
+            run_id: runId,
+            per_page: 100
+          }).then(r => r.data.jobs.find(j => j.name.endsWith(JOB_NAME)))
+
+          return [
+            `This check is assosciated with ${serverUrl}/${owner}/${repo}/commit/${SHA}.`,
+            'Run logs:',
+            job?.html_url || `could not be found for a job ending with: "${JOB_NAME}"`,
+          ].join(' ')
+    - name: Create Check
+      uses: LouisBrunner/checks-action@v1.6.0
+      id: create-check
+      with:
+        token: ${{ inputs.token }}
+        sha: ${{ inputs.sha }}
+        status: in_progress
+        name: ${{ inputs.check-name || inputs.name }}
+        output: |
+          {"summary":"${{ steps.workflow.outputs.result }}"}