deps: upgrade npm to 11.6.1

[npm-cli-bot]

11.6.1 (2025-09-23)

Bug Fixes

• d389614 #8579 corrects peer dependency flag propagation (@owlstronaut)
• 5db81c3 #8512 allow concurrent non-local npx calls (#8512) (@jenseng, @wraithgar)

Documentation

• 7a09902 #8582 bring back certfile (#8582) (@jenseng)

Dependencies

• 849dcb6 #8589 tar@7.5.1 (#8589)
• ea15731 #8576 binary-extensions@3.1.0
• 0f41bac #8576 tiny-relative-date@2.0.2
• 07bf540 #8576 is-cidr@6.0.0
• ef87ec6 #8576 diff@8.0.2
• 48285e0 #8576 add fdir, isexe, and picomatch to node_modules
• 099238a #8576 fdir@6.5.0
• 6e4d673 #8576 isexe@3.1.1
• 09a7494 #8576 supports-color@10.2.2
• c5157c9 #8576 chalk@5.6.2
• 46035db #8576 debug@4.4.3
• 5f6664b #8576 spdx-license-ids@3.0.22
• 5516583 #8576 socks@2.8.7
• 6a392f3 #8576 tinyglobby@0.2.15
• 9519f18 #8576 npm-install-checks@7.1.2
• 34bafd1 #8576 node-gyp@11.4.2
• dfd034e #8576 @npmcli/promise-spawn@8.0.3
• d4eef14 #8576 rimraf@6.0.1
• 566f1b7 #8576 minimatch@10.0.3
• ac33497 #8576 mkdirp@3.0.1
• 1676626 #8576 glob@11.0.3
• 817f0b1 #8576 ignore-walk@8.0.0
• 79a4e67 #8576 minizlib@3.0.2
• 38fa2c2 #8576 negotiator@1.0.0
• 24252a1 #8576 @npmcli/agent@4.0.0
• ea7ca5f #8576 lru-cache@11.2.1
• 521823b #8576 @npmcli/git@7.0.0
• bf6b686 #8576 npm-package-arg@13.0.0
• 9392488 #8576 npm-package-manifest@11.0.1
• 0082083 #8576 normalize-package-data@8.0.0
• 633c4ed #8576 hosted-git-info@9.0.0
• 66f64eb #8576 make-fetch-happen@15.0.2
• 1f85f94 #8576 @sigstore/tuf@4.0.0
• a2bdecc #8576 sigstore@4.0.0
• 1149971 #8576 npm-registry-fetch@19.0.0
• b5bd5e3 #8576 npm-profile@12.0.0
• 6221e27 #8576 @npmcli/metavuln-calculator@9.0.2
• da81a37 #8576 cacache@20.0.1
• 6b4c5f9 #8576 @npmcli/run-script@10.0.0
• cb36a8a #8576 init-package-json@8.2.2
• b6bb9ae #8576 pacote@21.0.3
• 1b4433f #8576 @npmcli/map-workspaces@5.0.0
• ceae674 #8576 @npmcli/package-json@7.0.1
• 4f37534 #8576 remove read-package-json-fast

Chores

• 7eb5c09 #8576 update package-lock with peer flag fixes (@wraithgar)
• 0d00fd8 #8576 jsdom@27.0.0 (@wraithgar)
• 420a569 #8576 unified@11.0.5 (@wraithgar)
• 064deb3 #8576 remark-rehype@11.1.2 (@wraithgar)
• 30fe3ba #8576 remark-man@9.0.0 (@wraithgar)
• 1c6bb4c #8576 rehype-stringify@10.0.1 (@wraithgar)
• 208cb93 #8576 remark-gfm@4.0.1 (@wraithgar)
• 4a46b5a #8576 remark-github@12.0.0 (@wraithgar)
• 93d190b #8576 remark-parse@11.0.0 (@wraithgar)
• 05301a4 #8576 remark@15.0.1 (@wraithgar)
• 6afdda9 #8576 ajv-formats@3.0.1 (@wraithgar)
• 402a0ab #8576 @npmcli/template-oss@4.25.1 (@wraithgar)
• 3b43bf7 #8576 dev dependency updates (@wraithgar)
• 9f9146f #8576 @tufjs/repo-mock@4.0.0 (@wraithgar)
• eed8a10 #8576 use latest/local arborist in mock-registry (@wraithgar)
• workspace: @npmcli/arborist@9.1.5
• workspace: @npmcli/config@10.4.1
• workspace: libnpmaccess@10.0.2
• workspace: libnpmdiff@8.0.8
• workspace: libnpmexec@10.1.7
• workspace: libnpmfund@7.0.8
• workspace: libnpmorg@8.0.1
• workspace: libnpmpack@9.0.8
• workspace: libnpmpublish@11.1.1
• workspace: libnpmsearch@9.0.1
• workspace: libnpmteam@8.0.2
• workspace: libnpmversion@8.0.2

[nodejs-github-bot]

Review requested:

• @nodejs/security-wg

[github-actions]

Fast-track has been requested by @nodejs-github-bot. Please 👍 to approve.

[wraithgar]

The main update here is getting our subdependencies updated. Most of the npmcli ones needed semver major changes to get up to the same engines declaration as npm itself. This is a follow up task to any new major npm release, but this one just took awhile.

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/69394/

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/69478/

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/69513/

[nodejs-github-bot]

Landed in 5d843c9

[ChALkeR]

This introduced a tar version which could expose uninitialized memory if zero-fill is disabled in #60423

See isaacs/node-tar#445

1. Is affected code ever called from npm?
2. If yes, is returning uninitialized process memory a concern?

[wraithgar]

I don't believe npm does any synchronous operations with tar.

$ npm query \#tar|npx json -a _id location from
tar@7.5.1 node_modules/tar [
  "node_modules/node-gyp",
  "node_modules/pacote",
  "workspaces/libnpmdiff",
  "node_modules/node-gyp/node_modules/cacache",
  ""
]

node-gyp does an async extract

$ grep -r tar\\. node_modules/node-gyp/lib/
node_modules/node-gyp/lib/install.js:          await tar.extract({
node_modules/node-gyp/lib/install.js:              tar.extract({

pacote does an async extract and list

node_modules/pacote/lib/dir.js:      .then(files => tar.c(tarCreateOptions(this.package), files)
node_modules/pacote/lib/fetcher.js:    const extractor = tar.x(this.#tarxOptions({ cwd: dest }))

libnpmdiff does an async create and list

workspaces/libnpmdiff/lib/index.js:const untar = require('./untar.js')
workspaces/libnpmdiff/lib/tarball.js:      tar.c(tarCreateOptions(manifest), files).concat()
workspaces/libnpmdiff/lib/untar.js:  tar.list({

npm itself does an async list

lib/utils/tar.js:  const stream = tar.t({

cacache never actually used it npm/cacache#312

[ChALkeR]

@wraithgar Thanks! I also rechecked the usage here and it appears that the problematic codepath is indeed not used from npm

[ChALkeR]

For context: this had to be rechecked even if npm is just a tool not used in app runtime, it still has secrets like env vars and npm token in its memory, and leaking that e.g. while unpacking to disk under race conditions would have been... problematic. (e.g. npm already had an issue of saving env vars to disk back in the days which led to credentials exposure)

good thing that it's not affected)