[deps]: Update npm to v11

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
npm (source)	~10 -> ~11.3.0

---

Release Notes

npm/cli (npm)

v11.3.0

Compare Source

Features

• b306d25 #​8129 add node-gyp as actual config (@​wraithgar)

Bug Fixes

• 2f5392a #​8135 make npm run autocomplete work with workspaces (#​8135) (@​terrainvidia)

Documentation

• 26b6454 fix grammer in local path note (@​cgay)
• 1c0e83d #​7886 fix typo in package-json.md (#​7886) (@​stoneLeaf)
• 14efa57 #​8178 fix example package name in overrides explainer (#​8178) (@​G-Rath)
• 4183cba #​8162 logging: replace proceeding with preceding in loglevels details (#​8162) (@​tyleralbee)

Dependencies

• e57f112 #​8207 minipass-fetch@4.0.1
• 3daabb1 #​8207 minizlib@3.0.2
• c7a7527 #​8207 ci-info@4.2.0
• 20b09b6 #​8207 node-gyp@11.2.0
• 679bc4a #​8129 @npmcli/run-script@9.1.0

Chores

• 3fbed84 #​8207 install rimraf as a devdependency for smoke tests (@​owlstronaut)
• 43f0b41 #​8207 dev dependency updates (@​wraithgar)
• 26803bc #​8147 release integration node 23 yml (#​8147) (@​reggi)
• d679a1a #​8146 release integration node 23 (#​8146) (@​reggi)
• workspace: @npmcli/arborist@9.0.2
• workspace: @npmcli/config@10.2.0
• workspace: libnpmdiff@8.0.2
• workspace: libnpmexec@10.1.1
• workspace: libnpmfund@7.0.2
• workspace: libnpmpack@9.0.2

v11.2.0

Compare Source

Features

• 247ee1d #​8100 cache: add npx commands (@​wraithgar)
• 3a80a7b #​8081 add --init-type flag (#​8081) (@​reggi)
• 2a1e11f #​8071 move nerfDart list into @​npmcli/config (@​wraithgar)

Bug Fixes

• 8461186 #​8100 update npx cache if possible when spec is a range (@​wraithgar)
• e345cc5 #​8050 don't suggest npm update outside of valid engine range (#​8050) (@​milaninfy)
• 811ca29 #​8115 stop working around bug fixed in npm-package-arg@12.0.2 (@​TrevorBurnham)
• 879303c #​8078 warn on invalid publishConfig (#​8078) (@​wraithgar)
• 41417de #​8080 warn when TUF fetching of keys fails (#​8080) (@​wraithgar)
• 593c849 #​8076 warn on invalid single-hyphen cli flags (#​8076) (@​wraithgar)

Dependencies

• 3d8b257 #​8100 @npmcli/package-json@6.1.1
• ab17523 #​8134 supports-color@10.0.0
• 3cbe21a #​8134 foreground-child@3.3.1
• ee5e1aa #​8118 @npmcli/redact@3.1.1
• 5df69b4 #​8118 exponential-backoff@3.1.2
• 80c3273 #​8118 read@4.1.0
• 7fd70fa #​8118 node-gyp@11.1.0
• 7aeffff #​8118 cidr-regex@4.1.3
• b0c0490 #​8118 is-cidr@5.1.1
• ef49d6b #​8118 sigstore@3.1.0
• 1399bfb #​8118 socks@2.8.4
• 6b72107 #​8118 semver@7.7.1
• c9ad0c4 #​8118 @npmcli/git@6.0.3
• b153927 #​8115 npm-package-arg@12.0.2
• f0f6265 #​8071 nopt@8.1.0

Chores

• cc72b89 #​8143 fix smoke tests to account for new release versions within a workspace (#​8143) (@​reggi)
• c3810bc #​8134 dev dependency updates (@​wraithgar)
• 9dc40e6 #​8118 dev dependency updates (@​wraithgar)
• 7ec0831 #​8118 update jsonpath-plus (@​wraithgar)
• ed85b01 #​8071 tests for config warnings/changes (@​wraithgar)
• workspace: @npmcli/arborist@9.0.1
• workspace: @npmcli/config@10.1.0
• workspace: libnpmdiff@8.0.1
• workspace: libnpmexec@10.1.0
• workspace: libnpmfund@7.0.1
• workspace: libnpmpack@9.0.1

v11.1.0

Compare Source

Features

• 7f6c997 #​8009 add dry-run to deprecate/undeprecate commands (@​wraithgar)
• 1764a37 #​8009 add npm undeprecate command (@​wraithgar)

Bug Fixes

• 31455b2 #​8054 publish: honor force for no dist tag and registry version check (#​8054) (@​reggi)
• dc31c1b #​8038 remove max-len linting bypasses (@​wraithgar)
• 8a911ff #​8038 publish: disregard deprecated versions when calculating highest version (@​wraithgar)
• 7f72944 #​8038 publish: accept publishConfig.tag to override highes semver check (@​wraithgar)
• ab9ddc0 #​7992 sbom: deduplicate sbom dependencies (#​7992) (@​bdehamer)
• f7da341 #​7980 search: properly display multiple search terms (#​7980) (@​wraithgar)

Documentation

• 3644e79 #​8055 update readme for Node.js versions, remove badges (#​8055) (@​wraithgar)
• f1af61f #​8041 fix typos in "package-json" (#​8041) (@​maxkoryukov)
• e90c6fe #​8051 depth flag default value (#​8051) (@​milaninfy)
• 866b5ee #​8030 safer documentation urls, repos, packages (#​8030) (@​reggi)

Dependencies

• 7ddfbad #​8053 @npmcli/package-json@6.1.1
• 9473a86 #​8053 spdx-license-ids@3.0.21
• a65e5ce #​8053 @sigstore/protobuf-specs@0.3.3
• 215ebe4 #​8053 chalk@5.4.1

Chores

• 61f00e3 #​8069 splits out smoke-tests from publish-dryrun tests (#​8069) (@​reggi)
• 6d0f46e #​8058 stop publish smoke from check git clean (#​8058) (@​reggi)
• 9281ebf #​8057 fix smoke tests prerelease needs separate string args (#​8057) (@​reggi)
• aa202e9 #​8056 smoke tests using a preid (#​8056) (@​reggi)
• 18e0449 #​8053 dev dependency updates (@​wraithgar)
• 859a71c #​8052 update node versions for release integration tests (#​8052) (@​wraithgar)
• 7e7961d #​8038 bump @​npmcli/eslint-config to 5.1.0 (@​wraithgar)
• workspace: @npmcli/config@10.0.1

v11.0.0

Compare Source

Documentation

• 8a911da #​7963 ls: removed design change pending section note (#​7963) (@​milaninfy)

Dependencies

• 5319e48 #​7973 remove unnecessary sprintf-js files in node_modules (#​7973)
• d369c77 #​7976 socks-proxy-agent@8.0.5
• 3b2951a #​7976 https-proxy-agent@7.0.6
• a598b7b #​7976 agent-base@7.1.3
• 52bcaf6 #​7976 debug@4.4.0
• aabf345 #​7976 p-map@7.0.3
• 28e8761 #​7976 npm-package-arg@12.0.1

Chores

• ecd7190 #​7976 dev dependency updates (@​wraithgar)
• a07f4e0 #​7976 @npmcli/template-oss@4.23.6 (@​wraithgar)
• 687ab12 #​7970 remove pre-release mode from npm 11 and workspaces (#​7970) (@​wraithgar)
• workspace: @npmcli/arborist@9.0.0
• workspace: @npmcli/config@10.0.0
• workspace: libnpmaccess@10.0.0
• workspace: libnpmdiff@8.0.0
• workspace: libnpmexec@10.0.0
• workspace: libnpmfund@7.0.0
• workspace: libnpmorg@8.0.0
• workspace: libnpmpack@9.0.0
• workspace: libnpmpublish@11.0.0
• workspace: libnpmsearch@9.0.0
• workspace: libnpmteam@8.0.0
• workspace: libnpmversion@8.0.0

---

Configuration

📅 Schedule: Branch creation - "every 2nd week starting on the 2 week of the year before 4am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[bitwarden-bot]

Internal tracking:

• ID: PM-16416
• Link: https://bitwarden.atlassian.net/browse/PM-16416

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 7.27%. Comparing base (23d285a) to head (a71874b).

✅ All tests successful. No failed tests found.

Additional details and impacted files

@@          Coverage Diff          @@
##            main    #701   +/-   ##
=====================================
  Coverage   7.27%   7.27%           
=====================================
  Files         66      66           
  Lines       2682    2682           
  Branches     473     473           
=====================================
  Hits         195     195           
  Misses      2475    2475           
  Partials      12      12           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Checkmarx One – Scan Summary & Details – 2371dbd7-c23a-4d3f-9cab-4bade67c45ec

New Issues (79)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CVE-2024-12692	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-12695	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-9369	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-9370	Npm-electron-32.1.1	Vulnerable Package
	CVE-2025-0611	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-10229	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-10230	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-10231	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-10487	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-10488	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-10826	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-10827	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-11112	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-11113	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-11114	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-11115	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-11395	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-12053	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-12381	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-12382	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-12693	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-12694	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-21538	Npm-cross-spawn-7.0.3	Vulnerable Package
	CVE-2024-52798	Npm-path-to-regexp-0.1.10	Vulnerable Package
	CVE-2024-7025	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-8904	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-8905	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-9120	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-9121	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-9122	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-9123	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-9602	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-9603	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-9954	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-9955	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-9956	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-9957	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-9959	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-9960	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-9961	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-9965	Npm-electron-32.1.1	Vulnerable Package
	CVE-2025-0291	Npm-electron-32.1.1	Vulnerable Package
	CVE-2025-0434	Npm-electron-32.1.1	Vulnerable Package
	CVE-2025-0436	Npm-electron-32.1.1	Vulnerable Package
	CVE-2025-0437	Npm-electron-32.1.1	Vulnerable Package
	CVE-2025-0438	Npm-electron-32.1.1	Vulnerable Package
	CVE-2025-0443	Npm-electron-32.1.1	Vulnerable Package
	CVE-2025-0612	Npm-electron-32.1.1	Vulnerable Package
	CVE-2025-0762	Npm-electron-32.1.1	Vulnerable Package
	CVE-2025-1914	Npm-electron-32.1.1	Vulnerable Package
	CVE-2025-1917	Npm-electron-32.1.1	Vulnerable Package
	Cxcd847ba7-2310	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-11110	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-11111	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-11116	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-11117	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-55565	Npm-nanoid-3.3.7	Vulnerable Package
	CVE-2024-8906	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-8907	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-8908	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-8909	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-9958	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-9962	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-9963	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-9964	Npm-electron-32.1.1	Vulnerable Package
	CVE-2024-9966	Npm-electron-32.1.1	Vulnerable Package
	CVE-2025-0435	Npm-electron-32.1.1	Vulnerable Package
	CVE-2025-0439	Npm-electron-32.1.1	Vulnerable Package
	CVE-2025-0440	Npm-electron-32.1.1	Vulnerable Package
	CVE-2025-0441	Npm-electron-32.1.1	Vulnerable Package
	CVE-2025-0446	Npm-electron-32.1.1	Vulnerable Package
	CVE-2025-0448	Npm-electron-32.1.1	Vulnerable Package
	CVE-2025-1915	Npm-electron-32.1.1	Vulnerable Package
	CVE-2025-1916	Npm-electron-32.1.1	Vulnerable Package
	CVE-2025-1918	Npm-electron-32.1.1	Vulnerable Package
	CVE-2025-1919	Npm-electron-32.1.1	Vulnerable Package
	CVE-2025-1921	Npm-electron-32.1.1	Vulnerable Package
	CVE-2025-1922	Npm-electron-32.1.1	Vulnerable Package
	CVE-2025-1923	Npm-electron-32.1.1	Vulnerable Package