typescript.news
npm 11.18 Promotes the `linked` Install Strategy to Stable, Adds the `npm install-scripts` Namespace, and Warns When `min-release-age` Blocks an Audit Fix
toolingecosystem

npm 11.18 Promotes the `linked` Install Strategy to Stable, Adds the `npm install-scripts` Namespace, and Warns When `min-release-age` Blocks an Audit Fix

lschvn

npm 11.18.0, published on June 29, 2026, is the release that finishes the work the npm CLI has been doing on isolated installs for the last three and a half years. The headline is PR #9677 (backport of #9674), which graduates --install-strategy=linked from experimental to stable. The mode was added in PR #6078 on January 25, 2023 against npm/rfcs#0042, the isolated-mode RFC that came out of the 2022 Contributor Summit. The promotion removes the implicit "this might eat your node_modules" warning the docs have carried since 2023 and is the closing event of the npm team's longest-running install-strategy effort.

The release is the second feature release of the v11 line this month and ships alongside the npm v12 prerelease the team tagged the same day. The v11 line is the stable line; the v12 prerelease is where the block-unreviewed-install-scripts-by-default change and the linked mode graduation get re-applied against the upcoming major.

What --install-strategy=linked actually does

The default npm install strategy is hoisted. Every transitive dependency is duplicated into the top-level node_modules so any package can require any other transitive package that happens to be hoisted, even when nothing in package.json declares it. That is the root cause of phantom dependencies: code that imports a library it never added to its own dependencies, and the bug only surfaces when a coworker installs with a clean node_modules and the hoisting happens to be different.

--install-strategy=linked (also called isolated mode) installs every package into node_modules/.store/<name>@<version>/node_modules/<dep> and symlinks each package's declared dependencies into its own node_modules/<dep>. The result is that a package can only import what it declared. If it imports an undeclared library, the import fails immediately instead of working by accident and shipping broken.

The npm install docs describe the four strategies this way:

  • hoisted (default): install non-duplicated at top level, duplicated as necessary within directory structure.
  • nested (formerly --legacy-bundling): install in place, no hoisting.
  • shallow (formerly --global-style): only install direct deps at top level.
  • linked: install in node_modules/.store, link in place, unhoisted.

The release notes for 11.18 add the docs recommendation that made the strategy a real recommendation rather than a hidden CLI flag. The docs page now reads: "We recommend that package authors use --install-strategy=linked during development to catch undeclared (phantom) dependencies before publishing: the isolated layout only exposes a package's declared dependencies, so an import of a package that was never added to package.json can fail instead of resolving by accident and shipping broken. See Catching undeclared (phantom) dependencies."

That sentence was added by PR #9690, the docs change that backports alongside the graduation.

Why the 3.5-year experimental period

Three reasons. First, the experimental flag came with sharp edges. The team's tracking issue #9608 ([Tracking] install-strategy=linked (isolated mode) bugs) lists 19 separate bugs across the install path, the audit path, the npm exec path, and the npm ls path that the 11.18 release closes. The four that the team called out as the worst are audit returning zero results on a real vulnerability (#9609), npm ls reporting false UNMET DEPENDENCY (#9095), napi-postinstall failing to resolve an installed optional native binding (#9620), and the .store layout mismatch with the hidden lockfile (#9612). The 11.18 fixes for each of those are PRs #9638, #9095's follow-on under #9638's logic, #9620's fix under #9665, and #9642 respectively.

Second, the strategy needed an audit story. PR #9625 audits the non-isolated tree under the linked strategy, so npm audit walks both the linked view and the underlying store and reports vulnerabilities accurately. PR #9638 makes the audit report deterministic by re-attaching the dropped via links so two consecutive npm audit runs on an unchanged lockfile produce byte-identical output, which the team's CI infrastructure depends on for diff-based regression tests.

Third, the workspace story. PR #9666 and PR #9665 teach the linked strategy to load transitive optional deps and to apply dev/prod flags correctly inside workspaces; #9648 makes npm exec resolve workspace-local bins; #9669 surfaces undeclared workspaces under the linked strategy so a missing workspaces entry does not silently produce a partial install. Before 11.18 the linked strategy worked for single-package repos but tripped over workspace setups; after 11.18 it is the recommended daily driver for workspaces.

The new npm install-scripts namespace

PR #9635 (backport of #9629) introduces a namespaced npm install-scripts command that owns three subcommands: npm install-scripts approve, npm install-scripts deny, and npm install-scripts ls. The previous npm approve-scripts and npm deny-scripts commands are kept as aliases for one release, then retired. The namespace re-points the install-time, rebuild, and strict-allow-scripts guidance at the new commands so a developer who runs npm install and hits the new npm install blocked N scripts line gets pointed at the same family of commands.

The reason for the namespace is that approve-scripts was a special-case command sitting next to the rest of npm's command surface; install-scripts makes it part of the same family as install, install-test, and the rest. It also gives the team room to add subcommands: npm install-scripts ls is new in 11.18 and prints the current allow/deny list with package names and paths.

The release also adds PR #9662 (install-scripts: prune unused allowScripts entries), which sweeps the allow list every install and removes entries whose package is no longer in dependencies. This closes a long-standing wart where the allow list grew monotonically: if you approved esbuild for package-a, then removed esbuild from package-a's deps and added it to package-b's deps, the allow list kept the original entry. After 11.18 the sweep removes it as part of npm install, and the user is asked to re-approve under package-b.

The min-release-age audit-fix warning

PR #9564 (backport of #9544) teaches npm audit fix to detect when the fix it would apply is blocked by the minimumReleaseAge policy set in .npmrc. The same policy is shipped by pnpm, and the Astro 6.4.4 update flow surfaces it for @astrojs/upgrade. The npm version warns explicitly when the policy blocks an audit fix, instead of silently doing nothing:

npm audit fix
# 3 vulnerabilities (1 low, 1 moderate, 1 high)
# 
# Could not auto-fix 1 vulnerability:
#   package: glob-parent <6.0.0 (transitive via some-tool)
#   blocked by minimumReleaseAge=4320 (cool-down window)
#   set `minimum-release-age=0` or wait for the cool-down to expire.

The text is the same shape as the pnpm ERR_PNPM_MIN_RELEASE_AGE warning. The npm team's PR description says they "want users to be able to tell the difference between 'no fix available' and 'fix exists but is being held back by policy'," which the previous npm audit fix output did not.

SBOM and other fixes

Three npm sbom fixes ship in 11.18. PR #9693 percent-encodes the vcs_url qualifier in the generated purls, which closes a long-standing CP-tooling bug where a git+https://github.com/foo bar/bar URL (with a space) was emitted verbatim and rejected by downstream parsers. #9631 audits the non-isolated tree under the linked strategy so the SBOM and npm audit reports both pick up the full dep set. #9641 validates peerOptional conflicts in no-save mutations, which means npm install some-pkg --no-save will refuse to install if it would create a peerOptional conflict.

The release also fixes PR #9602 (don't flag inert optional deps in strict-allow-scripts), #9607 (approve deps with no resolved URL by name), and #9663 (close allowScripts enforcement gaps). Together they mean the strict-allow-scripts mode added in npm 11.5 now correctly distinguishes between packages that need scripts (the install hook is on, the audit hook will catch them) and packages that don't (the install hook is off because there is no install script).

Why this matters

--install-strategy=linked is npm's answer to the question pnpm has been answering since 2017: how do you stop a package from importing a transitive dependency it never declared? pnpm never carried the experimental flag; yarn berry ships PnP by default; npm is the third of the three to reach "stable and recommended for daily use." The graduation is the moment when the install model that everyone else treats as the default is finally a default-recommended path on npm.

For package authors the practical change is small and concrete. Add this to .npmrc:

install-strategy=linked

Then run npm install in CI as part of npm publish. If the build now fails because some test file imports an undeclared library, you have a real bug to fix before publishing, not a phantom dep that will explode in a coworker's clean install.

The same change applies to monorepo owners. The 11.18 fixes for npm exec (#9648), npm ls (#9664), workspaces (#9666), and the .store cleanup on strategy switch (#9649) close the gaps that made --install-strategy=linked unusable for workspaces before. A monorepo can ship install-strategy=linked in .npmrc at the root and rely on it propagating through workspaces.

The release is also the first one since the June 6 supply chain piece that closes the strict-allow-scripts audit gaps from that article. The --install-blocked-scripts and strict-allow-scripts flags from npm 11.5 are now usable end-to-end, and the new npm install-scripts namespace is where the approvals live.

Frequently Asked Questions

Oxlint v1.72 and Oxfmt v0.57 Land the v0.138 Crates Cycle, Unify the AstBuilder, and Retire the Prettier CSS/GraphQL Fallback

Oxlint apps_v1.72.0 and oxfmt apps_v0.57.0, both published on 2026-06-29, close out the v0.138 crates cycle predicted in the [v1.71 release notes](/articles/2026-06-23--oxlint-v1-71-oxfmt-v0-56). The crates release (crates_v0.138.0, also 2026-06-29) unifies the old and new AstBuilder APIs (#23876, #23834, #23831, with legacy methods marked `#[deprecated]`), renames `AllocatorAccessor` to `GetAllocator` and switches its `allocator` method to take `&self` (#23675, #23676), makes `Str` and `Ident` methods take `&GetAllocator` (#23781), adds `transformer_plugins: Support typeof define keys` for vue-i18n and similar macros (#23605, Alexander Lichter), and ships the headline perf entry of the cycle: `minifier: memoize value_type to remove its O(n^2) re-walk on long binary chains` (#23929, Dunqing), which turns a 20k-term arithmetic-addition chain from 6,118 ms to 4.7 ms (~1300x) and a real-world antd.js bundle from 78.1 ms to 65.4 ms. Oxlint v1.72.0 ships 3 features (React `no-unknown-property` suggestion #23936, AstBuilder unification #23875, `eslint/no-restricted-import` schema #23642), 18 bug fixes, and 23 performance entries. Oxfmt v0.57.0 carries two BREAKING changes that retire the Prettier fallback for CSS/LESS/SCSS and GraphQL files: `Format parser:css,less,scss files + css-in-js by oxc_formatter_css` (#23321, leaysgur) and `Support draft syntax with removing prettier fallback` (#23326, leaysgur), both landing on top of the new `oxc_formatter_css` (#23320) and `oxc_formatter_graphql` (#23317) crates.

Related articles

More coverage with overlapping topics and tags.

Prettier 3.9 Overhauls Five Parsers: micromark for Markdown, yaml v2, GraphQL.js v17, a Rust-Based Flow Parser, and Angular
tooling

Prettier 3.9 Overhauls Five Parsers: micromark for Markdown, yaml v2, GraphQL.js v17, a Rust-Based Flow Parser, and Angular

Prettier 3.9.0, released June 27, 2026 (prettier/prettier, blog post by Fisker Cheung), is a parser-heavy release that upgrades Markdown from remark-parse v8 to micromark v4 (better CommonMark and GFM compliance and a stack of long-standing bug fixes), YAML to yaml v2, GraphQL to GraphQL.js v17 (fragment arguments and directives on directive definitions), Flow to the Flow team's new Rust-based oxidized parser (roughly 37% faster on Prettier's valid Flow fixtures and 43% faster on flow_parser.js in local parser-only benchmarks), and Angular. The JavaScript and TypeScript printer is reworked too, particularly in --no-semi mode where comments around break and continue are now stable across repeated formats (an idempotency fix), plus redundant parenthesis removal in return statements, embedded-template interpolation alignment, and logical-not inlining. The release drops the legacy import ... assert {} syntax (Babel 8 removed the parser plugin; migrate to with), fixes a silently broken --cache-strategy content option, and stops EditorConfig files above Git worktrees from leaking in. The team reiterates pinning the exact version in package.json because the formatting changes will produce diffs.
pnpm 11.8 Ships `install --dry-run`, Node.js Package Maps, and Per-Package SBOM
tooling

pnpm 11.8 Ships `install --dry-run`, Node.js Package Maps, and Per-Package SBOM

pnpm 11.8.0 (June 18, 2026) adds a long-requested `--dry-run` for `pnpm install`, experimental Node.js package maps at `node_modules/.package-map.json`, CycloneDX devDependencies scope and per-package SBOM generation, and a macOS Gatekeeper fix that strips quarantine from native binaries. It also closes a configDependencies path-traversal advisory (GHSA-qrv3-253h-g69c) three days after the 11.7 lockfile hardening.
Google Cloud's Open Knowledge Format Is a Standard, Not a Product: A Deep Dive Into OKF v0.1
tooling

Google Cloud's Open Knowledge Format Is a Standard, Not a Product: A Deep Dive Into OKF v0.1

On June 12, 2026, Google Cloud published the Open Knowledge Format (OKF), an open specification that formalizes the LLM-wiki pattern into a portable, interoperable format: a directory of markdown files with YAML frontmatter, one required field (type), five recommended ones, and zero required tooling. The tweet from Google Cloud Tech on June 16 drove 117,000 views in 24 hours and made the spec the most-discussed knowledge-format launch of the year. This long read walks through the v0.1 spec section by section, the design choices that make it deliberately minimal, what Google is shipping alongside it (an enrichment agent for BigQuery, a static HTML visualizer, three sample bundles, and a native BigQuery Knowledge Catalog integration), and the open question every AI agent builder and data platform team should be tracking over the next six months.

Comments

Log in Log in to join the conversation.

No comments yet. Be the first to share your thoughts.