chore(deps): update dependency npm to v10.9.6

[mend-for-github-com]

This PR contains the following updates:

Package	Type	Update	Change
npm (source)	dependencies	minor	10.8.1 → 10.9.6

By merging this PR, the below vulnerabilities will be automatically resolved:

Severity	CVSS Score	Vulnerability	Reachability
High	8.8	CVE-2026-23950	Unreachable
High	8.2	CVE-2026-24842	Unreachable
High	7.5	CVE-2024-21538	Unreachable
High	7.5	CVE-2025-64756	Unreachable
High	7.5	CVE-2026-27904
High	7.1	CVE-2026-26960
Low	3.1	CVE-2025-5889	Unreachable

---

Release Notes

npm/cli (npm)

v10.9.6

Compare Source

Bug Fixes

• d6fe671 #​9098 arborist: v10 - backport multiple fixes for linked install (#​9098) (@​manzoorwanijk)

Dependencies

• a5dadad #​9067 tar@7.5.11
• 87abb92 #​9067 pacote@20.0.1
• c2f0fd2 #​9067 pacote@19.0.2
• workspace: @npmcli/arborist@8.0.3
• workspace: libnpmdiff@7.0.3
• workspace: libnpmexec@9.0.3
• workspace: libnpmfund@6.0.3
• workspace: libnpmpack@8.0.3

v10.9.5

Compare Source

Bug Fixes

• 794f6c8 #​9011 backport linked strategy fixes from multiple PRs to v10 (#​9011) (@​manzoorwanijk)

Dependencies

• 6717032 #​9056 tuf-js@3.1.0
• e4e25ea #​9056 tinyglobby@0.2.15
• 9464329 #​9056 socks@2.8.7
• 23c3e17 #​9056 postcss-selector-parser@7.1.1
• 77f9c29 #​9056 p-map@7.0.4
• f1a0315 #​9056 npm-install-checks@7.1.2
• ad7d3ac #​9056 normalize-package-data@7.0.1
• 63a7c82 #​9056 node-gyp@11.5.0
• 569d807 #​9056 isexe@3.1.5
• 7dbe993 #​9056 fdir@6.5.0
• f241a38 #​9056 exponential-backoff@3.1.3
• bdeabff #​9056 ci-info@4.4.0
• d8ebcd5 #​9056 aproba@2.1.0
• be1b008 #​9056 spdx-license-ids@3.0.23
• 1005efd #​9056 strip-ansi@7.2.0
• d00bf96 #​9056 diff@5.2.2
• 7a74819 #​9056 debug@4.4.3
• 938db00 #​9056 minipass@7.1.3
• 70e90e5 #​9056 minimatch@9.0.9
• 733ff41 #​9056 glob@10.5.0
• ea8227a #​9056 ansi-styles@6.2.3
• edd20ef #​9056 ansi-regex@6.2.2
• 2592b45 #​9056 agent-base@7.7.4
• 3174366 #​9056 semver@7.7.4
• 380df0e #​9056 tar@7.5.9
• 49025ae #​9056 chalk@5.6.2
• 64601cd #​9056 @npmcli/promise-spawn@8.0.3
• 0e23c00 #​9056 validate-npm-package-name@6.0.2

Chores

• 72cc7de #​9056 template-oss@4.29.0 (@​wraithgar)
• 51711b8 #​9056 dev dependency updates (@​wraithgar)
• workspace: @npmcli/arborist@8.0.2
• workspace: libnpmdiff@7.0.2
• workspace: libnpmexec@9.0.2
• workspace: libnpmfund@6.0.2
• workspace: libnpmpack@8.0.2
• workspace: libnpmpublish@10.0.2

v10.9.4

Compare Source

Bug Fixes

• f7ff89c #​8551 powershell: fix StrictMode and improve argument parsing (#​8551) (@​alexsch01, @​splatteredbits)

v10.9.3

Compare Source

Bug Fixes

• 7cff878 #​8343 powershell: use Invoke-Expression to pass args (#​8343) (@​alexsch01)
• 78dc057 #​8378 stop working around bug fixed in npm-package-arg@12.0.2 (@​TrevorBurnham)
• e510f14 #​8248 docs: 'pacakge' -> 'package' (#​8248) (@​t3hmrman)

Dependencies

• c38ec84 #​8378 validate-npm-package-name@6.0.1
• 72564c5 #​8378 spdx-license-ids@3.0.21
• 20fa199 #​8378 socks@2.8.5
• 48c193a #​8378 socks-proxy-agent@8.0.5
• 00fccfb #​8378 semver@7.7.2
• 5ab8aac #​8378 read@4.1.0
• 224c69e #​8378 p-map@7.0.3
• 1e41678 #​8378 npm-package-arg@12.0.2
• e9cf30e #​8378 nopt@8.1.0
• 2bedf25 #​8378 minizlib@3.0.2
• a795ee0 #​8378 minipass-fetch@4.0.1
• 8ed043c #​8378 https-proxy-agent@7.0.6
• 74518d0 #​8378 http-cache-semantics@4.2.0
• cc7dcfc #​8378 hosted-git-info@8.1.0
• 13aea40 #​8378 foreground-child@3.3.1
• 9c81599 #​8378 exponential-backoff@3.1.2
• b59097f #​8378 node-gyp@11.2.0
• 8b29435 #​8378 debug@4.4.1
• 4c8e170 #​8378 cidr-regex@4.1.3
• 9bb94a3 #​8378 is-cidr@5.1.1
• a1dbb0b #​8378 ci-info@4.2.0
• 0a5f2ff #​8378 chalk@5.4.1
• 7912c9c #​8378 brace-expansion@2.0.2
• 19028b8 #​8378 agent-base@7.1.3
• fd26776 #​8378 abbrev@3.0.1
• dbb23ab #​8378 sigstore@3.1.0
• 92feb9b #​8378 @sigstore/protobuf-specs@0.4.3
• 4fd7174 #​8378 @sigstore/tuf@3.1.1
• b327bc2 #​8378 @npmcli/run-script@9.1.0
• 04e7e1c #​8378 @npmcli/redact@3.2.2.
• 90d2aab #​8378 @npmcli/query@4.0.1
• 2e47537 #​8378 @npmcli/package-json@6.2.0
• a5eb5dd #​8378 @npmcli/git@6.0.3

Chores

• 15e545b #​8384 @npmcli/template-oss@4.24.4 (#​8384) (@​wraithgar)
• fb5a9f2 #​8378 @npmcli/template-oss@4.24.3 (@​wraithgar)
• 19da79a #​8378 dev dependency updates (@​wraithgar)
• workspace: @npmcli/arborist@8.0.1
• workspace: libnpmdiff@7.0.1
• workspace: libnpmexec@9.0.1
• workspace: libnpmfund@6.0.1
• workspace: libnpmpack@8.0.1

v10.9.2

Compare Source

Dependencies

• ae9345e #​7959 @npmcli/run-script@9.0.2
• 39a19b3 #​7959 node-gyp@11.0.0
• 93e2186 #​7956 @npmcli/map-workspaces@4.0.2
• bf0ea00 #​7956 @npmcli/package-json@6.1.0
• c84baa3 #​7956 init-package-json@7.0.2
• e642099 #​7956 node-gyp@10.3.1

v10.9.1

Compare Source

Bug Fixes

• c7fe0db #​7924 perf: enable compile cache if present (#​7924) (@​H4ad)

Dependencies

• a221db7 #​7931 npm-install-checks@7.1.1
• fbad17a #​7931 hosted-git-info@8.0.2
• 65d2a86 #​7922 @sigstore/tuf@3.0.0
• be45963 #​7922 sigstore@3.0.0
• fb0bfbd #​7922 spdx-license-ids@3.0.20
• ccadf2a #​7922 promise-call-limit@3.0.2
• b25712e #​7922 package-json-from-dist@1.0.1
• 1c9e96f #​7922 negotiator@0.6.4
• f13bc9c #​7922 debug@4.3.7
• 029060c #​7922 cross-spawn@7.0.6
• 9350950 #​7922 @npmcli/metavuln-calculator@8.0.1
• c003827 #​7922 ansi-regex@6.1.0
• d6194f5 #​7922 pacote@19.0.1
• 4ff29f6 #​7922 npm-registry-fetch@18.0.2
• fd6f4fb #​7922 make-fetch-happen@14.0.3
• b3f3004 #​7922 ci-info@4.1.0
• a1f9d48 #​7922 promise-spawn@8.0.2

Chores

• 3ace1c1 #​7922 update arborist in mock-registry (@​wraithgar)
• workspace: libnpmpublish@10.0.1

v10.9.0

Compare Source

Features

• 4d57928 #​7766 devEngines (#​7766) (@​reggi)

Bug Fixes

• 6ca609e #​7789 ping and doctor commands fix for checking if registry is online (#​7789) (@​milaninfy)

Documentation

• 63d6a73 #​7783 package.json: add brief section on exports, link to Node.js docs (#​7783) (@​wheresrhys)
• 366c07e #​7776 remove incorrect note about npm install (#​7776) (@​wraithgar)

Dependencies

• 60a7ee5 #​7803 hoist npm-normalize-package-bin
• 20dd44f #​7803 hoist minipass-fetch
• 5795987 #​7803 update proggy@3.0.0
• 99ccae3 #​7803 update bin-links@5.0.0
• 75786ad #​7803 update @npmcli/query@4.0.0
• 1c25a1d #​7803 update @npmcli/node-gyp@4.0.0
• 2d7fc3d #​7803 update @npmcli/name-from-folder@3.0.0
• 1e09334 #​7803 update @npmcli/metavuln-calculator@8.0.0
• 820e983 #​7803 update @npmcli/installed-package-contents@3.0.0
• 9cd6603 #​7803 update read-package-json-fast@4.0.0
• b84d907 #​7803 update @npmcli/git@6.0.1
• 53ed632 #​7803 update write-file-atomic@6.0.0
• ab40dab #​7803 update which@5.0.0
• b1c4770 #​7803 update validate-npm-package-name@6.0.0
• 8206c4f #​7803 update ssri@12.0.0
• 8b7dbc8 #​7803 update read@4.0.0
• f6909a0 #​7803 update proc-log@5.0.0
• f9b2e18 #​7803 update parse-conflict-json@4.0.0
• e7ab206 #​7803 update pacote@19.0.0
• b28dbb1 #​7803 update npm-user-validate@3.0.0
• d13a20b #​7803 update npm-registry-fetch@18.0.1
• 5208f74 #​7803 update npm-profile@11.0.1
• 092f41f #​7803 update npm-pick-manifest@10.0.0
• 50a7bc8 #​7803 update npm-package-arg@12.0.0
• 591130d #​7803 update npm-install-checks@7.1.0
• be6ae96 #​7803 update npm-audit-report@6.0.0
• 8d4060a #​7803 update normalize-package-data@7.0.0
• 105fa2b #​7803 update nopt@8.0.0
• eae4f57 #​7803 update make-fetch-happen@14.0.1
• 7214149 #​7803 update json-parse-even-better-errors@4.0.0
• c4bed31 #​7803 update init-package-json@7.0.1
• f54b155 #​7803 update ini@5.0.0
• 6deae9e #​7803 update hosted-git-info@8.0.0
• 034c729 #​7803 update cacache@19.0.1
• ddb8be0 #​7803 update abbrev@3.0.0
• 538a4cc #​7803 update @npmcli/run-script@9.0.1
• b80d048 #​7803 update @npmcli/redact@3.0.0
• 81137fc #​7803 update @npmcli/promise-spawn@8.0.1
• 2076368 #​7803 update @npmcli/package-json@6.0.1
• feac87c #​7803 update @npmcli/map-workspaces@4.0.1
• dd90f9e #​7803 update @npmcli/fs@4.0.0

Chores

• 95e2cb1 #​7810 ignore .github folder in release-please (@​reggi)
• be1e6da #​7803 update minify-registry-metadata@4.0.0 (@​reggi)
• 43f2374 #​7803 update ignore-walk@7.0.0 (@​reggi)
• bb03036 #​7803 update npm-packlist@9.0.0 (@​reggi)
• 2072705 #​7803 update @npmcli/eslint-config@5.0.1 (@​reggi)
• 949d8f8 #​7803 engine ^18.17.0 || >=20.5.0 in package template (@​reggi)
• fefd509 #​7764 deps: bump actions/download-artifact from 3 to 4 in /.github/workflows (#​7764) (@​dependabot[bot], @​wraithgar)
• workspace: @npmcli/arborist@8.0.0
• workspace: @npmcli/config@9.0.0
• workspace: libnpmaccess@9.0.0
• workspace: libnpmdiff@7.0.0
• workspace: libnpmexec@9.0.0
• workspace: libnpmfund@6.0.0
• workspace: libnpmhook@11.0.0
• workspace: libnpmorg@7.0.0
• workspace: libnpmpack@8.0.0
• workspace: libnpmpublish@10.0.0
• workspace: libnpmsearch@8.0.0
• workspace: libnpmteam@7.0.0
• workspace: libnpmversion@7.0.0

v10.8.3

Compare Source

Bug Fixes

• 7e61151 #​7759 docs: init usage description corrected (#​7759) (@​milaninfy)
• 2404c7e #​7738 publish: consider package-spec when inside workspace dir (#​7738) (@​milaninfy)
• 91e46a3 #​7721 init: use locally installed version of given package (#​7721) (@​milaninfy)
• 4e81a6a #​7674 always set exit code if exiting uncleanly (#​7674) (@​wraithgar, @​hashtagchris)
• a947f25 #​7679 update lifecycle script list in run-script (#​7679) (@​sonsurim)

Documentation

• e674987 #​7743 update docs for npmrc and package-json (#​7743) (@​milaninfy)
• 24d5350 #​7742 fix and update scoped configuration example (#​7742) (@​demedos)

Dependencies

• 3fd7a48 #​7737 lru-cache@10.4.3
• d7e462b #​7737 jackspeak@3.4.3
• df58b0c #​7737 glob@10.4.5
• 7342c24 #​7737 foreground-child@3.3.0
• 2986f4e #​7737 cacache@18.0.4
• a44ab26 #​7737 postcss-selector-parser@6.1.2
• 4e965ad #​7737 semver@7.6.3
• 12587fa #​7737 npm-package-arg@11.0.3
• 1a9ac86 #​7737 debug@4.3.6
• a303ddd #​7737 node-gyp@10.2.0

Chores

• 1772276 #​7756 fix duplicate changelog entries (@​wraithgar)
• 8035725 #​7756 @npmcli/template-oss@4.23.3 (@​wraithgar)
• ed4add1 #​7737 dev dependency updates (@​wraithgar)
• 86b05fc #​7683 allow for longer timer values (#​7683) (@​wraithgar)
• workspace: libnpmexec@8.1.4

v10.8.2

Compare Source

Bug Fixes

• 3101a40 #​7631 limit concurrent open files during 'npm cache verify' (#​7631) (@​oikumene)
• 2273183 #​7595 outdated: fixed wanted range for alias with version range (#​7595) (@​milaninfy)
• 15be6dd #​7574 don't try parsing workspaces if none exist (@​wraithgar)

Documentation

• ac937d4 #​7616 install: add save-peer flag (#​7616) (@​drew4237)
• 55639ef #​7615 use git+https in package.com url examples (#​7615) (@​MikeMcC399)
• 93883bb #​7582 Improve manpage section for package.json funding properties (#​7582) (@​kemitchell)
• 92e71e6 #​7576 fix links to community discussions (#​7576) (@​leobalter)

Dependencies

• 1c1adae #​7636 npm-pick-manifest@9.1.0
• 5e4fa18 #​7636 socks-proxy-agent@8.0.4
• d8fa116 #​7636 https-proxy-agent@7.0.5
• 76dab91 #​7636 normalize-package-data@6.0.2
• 094c4ea #​7636 minimatch@9.0.5
• 1c8d41d #​7636 @npmcli/git@5.0.8
• e5451e1 #​7605 jackspeak@3.4.0
• 7b584d3 #​7605 foreground-child@3.2.1
• 941d0d7 #​7605 debug@4.3.5
• 8b8ce7a #​7605 glob@10.4.2
• 4646768 #​7605 npm-registry-fetch@17.1.0
• 6f0d7ce #​7605 @npmcli/redact@2.0.1
• 29204c8 #​7605 @npmcli/package-json@5.2.0
• 04d6910 #​7574 @npmcli/package-json@5.1.1
• 4ef4830 #​7574 remove read-package-json-fast

Chores

• 2490b49 #​7621 remove .github/workflows/benchmark.yml (#​7621) (@​wraithgar)
• 3b8b111 #​7605 update devDependencies in lockfile (@​wraithgar)

---

• If you want to rebase/retry this PR, check this box