---
title: "Deno 2.8 Ships Audit Fix, CI Subcommand, and Native Pack Tool"
description: "Deno 2.8 drops with four new CLI subcommands, improved Node.js compatibility, and a Rust-based package packager targeting npm registries."
date: 2026-06-01
image: "/images/heroes/2026-06-01--deno-2-8-audit-fix-ci-pack-subcommands.png"
author: lschvn
tags: ["runtimes", "typescript", "javascript"]
---

[Deno](/articles/2026-04-07--deno-2-7-stabilizes-temporal-api-windows-arm-npm-overrides) 2.8 is out, and this time the headline isn't a single killer feature but a cluster of quality-of-life improvements that tighten the gap with [Node.js](/articles/2026-04-12--nodejs-25-stream-iter-async-streams) while adding genuinely new tooling. The release dropped May 22, with a patch (v2.8.1) following five days later.

<!-- more -->

## TLDR

- `deno audit fix` automatically patches vulnerable npm packages in one command
- `deno ci` gives CI pipelines a single, reproducible install signal
- `deno pack` builds npm-ready tarballs directly from Deno projects
- Node.js compatibility coverage climbs toward 75%, per Deno's roadmap goals

---

## `deno audit fix`: One-Command Vulnerability Remediation

`deno audit` landed in Deno 2.6 as a security auditing tool for npm packages. Deno 2.8 goes further with `deno audit fix`, which automatically upgrades vulnerable packages to the nearest patched version that still satisfies your version constraints.

```bash
$ deno audit fix
╭ body-parser vulnerable to denial of service when url encoding is enabled
│ Severity: high
│ Package: body-parser
│ Vulnerable: <1.20.3
╰ Info: https://github.com/advisories/GHSA-qwcr-r2fm-qrc7
```

If a package requires a major-version bump, Deno lists it separately so you can decide whether to relax constraints. Anything within semver range gets fixed silently.

---

## `deno ci`: Reproducible CI Installs

Deno 2.8 introduces `deno ci`, a dedicated subcommand for CI environments and Dockerfiles. Previously, getting a reproducible install meant remembering the right combination of flags on `deno install`. Now:

```bash
$ deno ci
```

It errors if `deno.lock` is missing, removes any existing `node_modules`, and runs the install with `--frozen so the lockfile must match the config exactly. Drop it into a CI step or Dockerfile and you get an obvious, greppable signal of "reproducible install" with no flag memorization required.

---

## `deno pack`: Build npm Tarballs Without Leaving Deno

`deno pack` combines the behavior of `tsc` and `npm pack` into a single command. Given a `deno.json`:

```json
{
  "name": "@scope/my-lib",
  "version": "1.0.0",
  "exports": "./mod.ts"
}
```

Running `deno pack` produces a `scope-my-lib-1.0.0.tgz` ready for `npm publish`. The tarball includes:

- A generated `package.json` with `type: "module"`, conditional exports, and extracted runtime dependencies
- TypeScript transpiled to JavaScript
- `.d.ts` declaration files extracted via the same fast-check pipeline `deno publish` uses
- README and LICENSE files

Specifiers are rewritten so packages work inside the npm ecosystem: `jsr:@std/path` becomes `@jsr/std__path`, relative imports gain `.js` extensions, and `node:` builtins are left alone.

---

## `deno bump-version`: Semver Management for Workspaces

`deno bump-version` updates the version field in your `deno.json` or `package.json` with standard semver increments:

```bash
$ deno bump-version patch
$ deno bump-version minor
$ deno bump-version major
$ deno bump-version prerelease
```

In a workspace, running from the root applies the same increment to every member package, rewrites matching `jsr:` version constraints, and updates the import map so cross-package references stay in sync. Without an argument, workspace mode derives per-package bumps from Conventional Commits between a base ref and the current branch.

---

## Node.js Compatibility: Heading Toward 75%

Deno's stated goal is reaching 75% Node.js compatibility by 2026. The 2.8 release advances this with broader `node:` module coverage, improved TLS/SSL context handling, and better compatibility with npm packages that rely on Node.js internals. The changelog lists dozens of `ext/node` fixes covering `fs.promises`, `crypto`, `http`, `tls`, and `sqlite`.

The team has also been working on `module.registerHooks()` for CommonJS hot-reloading, synthetic ESM for `node:worker_threads`, and async module resolution, all of which land in 2.8.

---

## Other Notable Changes

- `deno check --watch` now watches type-check dependencies for changes
- `deno why <specifier>` explains why a dependency is in your lockfile
- Browser `package.json` `exports` field maps are now supported in bundling
- New `node:perf_hooks` APIs: `createHistogram`
- Network CDP inspector events for both `fetch()` and `node:http`

---

## FAQ

**How do I upgrade?**
Run `deno upgrade` or install fresh from `deno.land/install.sh`.

**Does `deno pack` replace `deno publish`?**
No. `deno publish` publishes to JSR; `deno pack` targets npm registries. They serve different ecosystems.

**Is this release backward compatible?**
Yes. Deno 2.8 maintains full backward compatibility with 2.x. Breaking changes are not planned until a future major version.

**What's the Node.js compatibility number for 2.8 specifically?**
Deno hasn't published a precise percentage for 2.8. The 75% figure is the roadmap target for mid-2026.
