Skip to content

chore: release 11.13.0#9240

Open
github-actions[bot] wants to merge 1 commit intorelease/v11from
release-please--branches--release/v11
Open

chore: release 11.13.0#9240
github-actions[bot] wants to merge 1 commit intorelease/v11from
release-please--branches--release/v11

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot commented Apr 15, 2026
edited
Loading

🤖 I have created a release beep boop

11.13.0

11.13.0 (2026-04-17)

Features

Bug Fixes

Dependencies

Chores

arborist: 9.4.3

9.4.3 (2026-04-17)

Bug Fixes

libnpmdiff: 8.1.6

Dependencies

libnpmexec: 10.2.6

10.2.6 (2026-04-17)

Bug Fixes

Dependencies

libnpmfund: 7.0.20

Dependencies

libnpmpack: 9.1.6

Dependencies

This PR was generated with Release Please. See documentation.

@github-actions github-actions bot requested a review from a team as a code owner April 15, 2026 18:19
@github-actions
Copy link
Copy Markdown
Contributor Author

github-actions bot commented Apr 15, 2026
edited
Loading

Release Manager

Release workflow run: https://github.com/npm/cli/actions/runs/24585376444

Release Checklist for v11.13.0

  • 1. Checkout the release branch

    Ensure git status is not dirty on this branch after resetting deps. If it is, then something is probably wrong with the automated release process.

    gh pr checkout 9240 --force
    npm run resetdeps
    node scripts/git-dirty.js

  • 2. Check CI status

    gh pr checks --watch

  • 3. Log in to npm

    npm login sessions are short lived, so you will want to have a fresh one before you publish.

    npm login

  • 4. Publish the CLI and workspaces

    Warning:
    This will publish all updated workspaces to latest, prerelease or backport depending on their version, and will publish the CLI with the dist-tag set to next-11.

    Note:
    The --test argument can optionally be omitted to run the publish process without running any tests locally.

    node scripts/publish.js --test

  • 5. Optionally install and test npm@11.13.0 locally

    npm i -g npm@11.13.0
    npm --version
npm whoami
npm help install
# etc

  • 6. Set latest dist-tag to newly published version

    Warning:
    NOT FOR PRERELEASE: Do not run this step for prereleases or if 11 is not being set to latest.

    node . dist-tag add npm@11.13.0 latest

  • 7. Trigger docs.npmjs.com update

    gh workflow run update-cli.yml --repo npm/documentation

  • 8. Approve and Merge release PR

    gh pr review --approve
    gh pr merge --rebase
    git checkout release/v11
    git fetch
    git reset --hard origin/release/v11
    node . run resetdeps

  • 9. Wait For Release Tags

    Warning:
    The remaining steps all require the GitHub tags and releases to be created first. These are done once this PR has been labelled with autorelease: tagged.

    Release Please will run on the just merged release commit and create GitHub releases and tags for each package. The release bot will will comment on this PR when the releases and tags are created.

    Note:
    The release workflow also includes the Node integration tests which do not need to finish before continuing.

    You can watch the release workflow in your terminal with the following command:

    gh run watch `gh run list -R npm/cli -w release -b release/v11 -L 1 --json databaseId -q ".[0].databaseId"`

  • 10. Mark GitHub Release as latest

    Warning:
    You must wait for CI to create the release tags before running this step. These are done once this PR has been labelled with autorelease: tagged.

    Release Please will make GitHub Releases for the CLI and all workspaces, but GitHub has UI affordances for which release should appear as the "latest", which should always be the CLI. To mark the CLI release as latest run this command:

    gh release -R npm/cli edit v11.13.0 --latest

  • 11. Open nodejs/node PR to update npm

    Warning:
    You must wait for CI to create the release tags before running this step. These are done once this PR has been labelled with autorelease: tagged.

    Trigger the Create Node PR action. This will open a PR on nodejs/node to the main branch.

    First, sync our fork of node with the upstream source:

    gh repo sync npm/node --source nodejs/node --force

    Then, if we are opening a PR against the latest version of node:

    gh workflow run create-node-pr.yml -R npm/cli -f spec=next-11

    For backport releases, you must target the correct Node branch using -f branch=<NODE_MAJOR>. Make sure you are targeting the right Node major version for this npm version.

    For example, this will create a PR on nodejs/node to the v16.x-staging branch:

    gh workflow run create-node-pr.yml -R npm/cli -f spec=next-11 -f branch=16

  • 12. Label and fast-track nodejs/node PR

    Note:
    This requires being a nodejs collaborator. This could be you!

    • Thumbs-up reaction on the Fast-track comment
    • Add an LGTM / Approval
    • Add request-ci label to get it running CI
    • Add commit-queue label once everything is green
    • For backport releases, comment on the PR asking the Node.js team to add dont-land-on-v<NODE_MAJOR> labels for Node versions where this npm version should not be included

@github-actions github-actions bot force-pushed the release-please--branches--release/v11 branch 3 times, most recently from afe4ac7 to 317fe08 Compare April 15, 2026 18:44
@github-actions github-actions bot changed the title chore: release 11.12.2 chore: release 11.13.0 Apr 16, 2026
@github-actions github-actions bot force-pushed the release-please--branches--release/v11 branch 4 times, most recently from c90b6d0 to 1cf0309 Compare April 17, 2026 15:21
pavel-kalmykov added a commit to pavel-kalmykov/bitbucket-server-mcp that referenced this pull request Apr 17, 2026
@pavel-kalmykov
refactor(release): isolate semantic-release in .release/ package
746952c 
PR #34 moved semantic-release out of devDependencies to an ephemeral
`npm install --no-save --no-package-lock` in the release workflow.
That fixed Vulnerabilities 7->10 on OpenSSF Scorecard but dropped
Pinned-Dependencies 9->9 (still flagged) because Scorecard counts
`npm install` as unpinned; only `npm ci` against a lockfile is
accepted as pinned.

Move the tooling into a .release/ subpackage with its own
package-lock.json. The release workflow now runs `npm ci --prefix
.release` and executes the binary from .release/node_modules/.bin/.

Why this is the same audit outcome as PR #34 but without the scorecard
penalty: `npm audit` only walks the tree rooted at the current
directory. With tooling in .release/node_modules/, the root
`npm audit` never sees the bundled `npm` CLI or its vendored
brace-expansion/picomatch advisories; they are reachable only from
`.release/` which we never audit on main.

Upstream context: npm/cli#9194 tracks the same advisories
(brace-expansion GHSA-f886-m6hf-6m8v, picomatch GHSA-3v7f-55p6-f55p
and GHSA-c2c7-rcm5-vvqj). The fix lands in npm 11.13.0 (PR
npm/cli#9240). Once @semantic-release/npm picks it up via its
`^11.6.2` range, `npm update` inside `.release/` refreshes the
lockfile without any other churn.
This was referenced Apr 17, 2026
Merged
Merged
pavel-kalmykov added a commit to pavel-kalmykov/bitbucket-server-mcp that referenced this pull request Apr 17, 2026
@pavel-kalmykov
revert: restore semantic-release in devDependencies
8c6e172 
PR #34 (ephemeral install) traded Vulnerabilities 7→10 at the cost of
Pinned-Dependencies staying at 9 because `npm install --no-save` is
flagged as unpinned. PR #35 (.release/ subpackage with its own
lockfile) fixed Pinned-Dependencies 9→10 but osv-scanner then found
the bundled brace-expansion/picomatch advisories in the committed
`.release/package-lock.json` and Vulnerabilities fell back to 7.

Net: both approaches land at ~7.5-7.7 score, and both add
architectural noise (ephemeral install vs split tooling tree) that
exists solely to dodge `npm audit`.

Simpler path: restore semantic-release, @semantic-release/changelog,
@semantic-release/git in devDependencies; drop the .release/
subpackage and the Dependabot carve-out for it; revert the release
workflow to `npx semantic-release`. We accept Vulnerabilities 7 while
npm/cli#9194 lands (npm 11.13.0 bumps the bundled brace-expansion to
5.0.5 and picomatch to 4.0.4; release PR npm/cli#9240 open since
2026-04-15, historical merge-to-publish window 2-9 days).

Kept from the earlier scorecard sweep:
- Dockerfile multistage build using `npm ci` (Pinned-Dependencies 10)
- Branch protection: ruleset requires PR, no admin bypass
- fast-check pin at 4.6.0 (TS strict-build incompat in 4.7.0)

When npm 11.13.x lands, Dependabot will open the bump PR automatically
and Vulnerabilities goes back to 10 with zero manual changes here.
bitbucket-mcp-bot bot pushed a commit to pavel-kalmykov/bitbucket-server-mcp that referenced this pull request Apr 17, 2026
@semantic-release-bot
chore(release): 0.6.7 [skip ci]
7177f1f 
## [0.6.7](v0.6.6...v0.6.7) (2026-04-17)

### Reverts

* restore semantic-release in devDependencies ([8c6e172](8c6e172)), closes [#34](#34) [#35](#35) [npm/cli#9194](npm/cli#9194) [npm/cli#9240](npm/cli#9240)
@github-actions github-actions bot force-pushed the release-please--branches--release/v11 branch 3 times, most recently from 1656edc to 9026790 Compare April 17, 2026 20:32
@github-actions github-actions bot force-pushed the release-please--branches--release/v11 branch from 9026790 to 21d2c50 Compare April 17, 2026 20:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

autorelease: pending

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants