npm · owlstronaut · Jul 7, 2025 · Jul 7, 2025 · Jul 7, 2025 · Jul 7, 2025
@@ -48,11 +48,11 @@ jobs:
       - name: Install Dependencies
         run: npm i --no-audit --no-fund
       - name: Lint
-        run: npm run lint --ignore-scripts -w cli
+        run: npm run lint --ignore-scripts --workspace cli
       - name: Post Lint
-        run: npm run postlint --ignore-scripts -w cli
+        run: npm run postlint --ignore-scripts --workspace cli
       - name: Check Format
-        run: npm run format:check --ignore-scripts --if-present -w cli
+        run: npm run format:check --ignore-scripts --if-present --workspace cli
 
   test:
     name: Test - ${{ matrix.platform.name }} - ${{ matrix.node-version }}
@@ -93,4 +93,4 @@ jobs:
       - name: Add Problem Matcher
         run: echo "::add-matcher::.github/matchers/tap.json"
       - name: Test
-        run: npm test --ignore-scripts -w cli
+        run: npm test --ignore-scripts --workspace cli
@@ -55,7 +55,7 @@ jobs:
           else
             # strip leading slash from directory so it works as a
             # a path to the workspace flag
-            echo "workspace=-w ${dependabot_dir#/}" >> $GITHUB_OUTPUT
+            echo "workspace=--workspace ${dependabot_dir#/}" >> $GITHUB_OUTPUT
           fi
 
       - name: Apply Changes

@@ -147,7 +147,6 @@ This process can, of course, be done manually. This may be useful for editing it
 
 1. Review the configuration  
    The `cli/releases.json` configures how the CLI documentation is included. It is an array of documentation versions, each having the following configuration:
-
    - `id`: A short identifier for the documentation version, eg `v6` or `v7`. This corresponds to a directory containing a version of the CLI repository (using a submodule). This will also be used as the output folder in the content.
    - `branch`: The branch name for the version. This will be used to fetch the latest version of the documentation from GitHub.
    - `spec`: The registry spec for the version. This will be used to fetch the latest version in that range from the registry.

@@ -79,7 +79,6 @@ Even if you never publish your package, you can still get a lot of benefits of u
   Install a package that is sitting on the filesystem. Note: if you just want to link a dev directory into your npm root, you can do this more easily by using [`npm link`](/cli/v10/commands/npm-link).
 
   Tarball requirements:
-
   - The filename _must_ use `.tar`, `.tar.gz`, or `.tgz` as the extension.
   - The package contents should reside in a subfolder inside the tarball (usually it is called `package/`). npm strips one directory layer when installing the package (an equivalent of `tar x --strip-components=1` is run).
   - The package must contain a `package.json` file with `name` and `version` properties.
@@ -113,7 +112,6 @@ Even if you never publish your package, you can still get a lot of benefits of u
   ```
 
   `npm install` saves any specified packages into `dependencies` by default. Additionally, you can control where and how they get saved with some additional flags:
-
   - `-P, --save-prod`: Package will appear in your `dependencies`. This is the default unless `-D` or `-O` are present.
 
   - `-D, --save-dev`: Package will appear in your `devDependencies`.
@@ -125,7 +123,6 @@ Even if you never publish your package, you can still get a lot of benefits of u
   - `--no-save`: Prevents saving to `dependencies`.
 
   When using any of the above options to save dependencies to your package.json, there are two additional, optional flags:
-
   - `-E, --save-exact`: Saved dependencies will be configured with an exact version rather than using npm's default semver range operator.
 
   - `-B, --save-bundle`: Saved dependencies will also be added to your `bundleDependencies` list.
@@ -213,7 +210,6 @@ Even if you never publish your package, you can still get a lot of benefits of u
   If the package being installed contains a `prepare` script, its `dependencies` and `devDependencies` will be installed, and the prepare script will be run, before the package is packaged and installed.
 
   The following git environment variables are recognized by npm and will be added to the environment when running git:
-
   - `GIT_ASKPASS`
   - `GIT_EXEC_PATH`
   - `GIT_PROXY_COMMAND`

@@ -54,7 +54,6 @@ updated: 2017-10-02T21:29:45.922Z
 - `npm profile set password`: Change your password. This is interactive, you'll be prompted for your current password and a new password. You'll also be prompted for an OTP if you have two-factor authentication enabled.
 
 - `npm profile enable-2fa [auth-and-writes|auth-only]`: Enables two-factor authentication. Defaults to `auth-and-writes` mode. Modes are:
-
   - `auth-only`: Require an OTP when logging in or making changes to your account's authentication. The OTP will be required on both the website and the command line.
   - `auth-and-writes`: Requires an OTP at all the times `auth-only` does, and also requires one when publishing a module, setting the `latest` dist-tag, or changing access via `npm access` and `npm owner`.
 

@@ -119,7 +119,6 @@ npm v7 ignores this section entirely if a `packages` section is present, but doe
 Dependency objects have the following fields:
 
 - version: a specifier that varies depending on the nature of the package, and is usable in fetching a new copy of it.
-
   - bundled dependencies: Regardless of source, this is a version number that is purely for informational purposes.
   - registry sources: This is a version number. (eg, `1.2.3`)
   - git sources: This is a git specifier with resolved committish. (eg, `git+https://example.com/foo/bar#115311855adb0789a0466714ed48a1499ffea97e`)

@@ -75,7 +75,6 @@ Even if you never publish your package, you can still get a lot of benefits of u
   Install a package that is sitting on the filesystem. Note: if you just want to link a dev directory into your npm root, you can do this more easily by using `npm link`.
 
   Tarball requirements:
-
   - The filename _must_ use `.tar`, `.tar.gz`, or `.tgz` as the extension.
   - The package contents should reside in a subfolder inside the tarball (usually it is called `package/`). npm strips one directory layer when installing the package (an equivalent of `tar x --strip-components=1` is run).
   - The package must contain a `package.json` file with `name` and `version` properties.
@@ -114,7 +113,6 @@ Even if you never publish your package, you can still get a lot of benefits of u
           npm install npa@npm:npm-package-arg
 
   `npm install` saves any specified packages into `dependencies` by default. Additionally, you can control where and how they get saved with some additional flags:
-
   - `-P, --save-prod`: Package will appear in your `dependencies`. This is the default unless `-D` or `-O` are present.
 
   - `-D, --save-dev`: Package will appear in your `devDependencies`.
@@ -124,7 +122,6 @@ Even if you never publish your package, you can still get a lot of benefits of u
   - `--no-save`: Prevents saving to `dependencies`.
 
   When using any of the above options to save dependencies to your package.json, there are two additional, optional flags:
-
   - `-E, --save-exact`: Saved dependencies will be configured with an exact version rather than using npm's default semver range operator.
 
   - `-B, --save-bundle`: Saved dependencies will also be added to your `bundleDependencies` list.
@@ -201,7 +198,6 @@ Even if you never publish your package, you can still get a lot of benefits of u
   If the package being installed contains a `prepare` script, its `dependencies` and `devDependencies` will be installed, and the prepare script will be run, before the package is packaged and installed.
 
   The following git environment variables are recognized by npm and will be added to the environment when running git:
-
   - `GIT_ASKPASS`
   - `GIT_EXEC_PATH`
   - `GIT_PROXY_COMMAND`

@@ -64,7 +64,6 @@ Change your profile information on the registry. This not be available if you're
 - `npm profile set password`: Change your password. This is interactive, you'll be prompted for your current password and a new password. You'll also be prompted for an OTP if you have two-factor authentication enabled.
 
 - `npm profile enable-2fa [auth-and-writes|auth-only]`: Enables two-factor authentication. Defaults to `auth-and-writes` mode. Modes are:
-
   - `auth-only`: Require an OTP when logging in or making changes to your account's authentication. The OTP will be required on both the website and the command line.
   - `auth-and-writes`: Requires an OTP at all the times `auth-only` does, and also requires one when publishing a module, setting the `latest` dist-tag, or changing access via `npm access` and `npm owner`.
 

@@ -81,7 +81,6 @@ Even if you never publish your package, you can still get a lot of benefits of u
   Install a package that is sitting on the filesystem. Note: if you just want to link a dev directory into your npm root, you can do this more easily by using [`npm link`](/cli/v7/commands/npm-link).
 
   Tarball requirements:
-
   - The filename _must_ use `.tar`, `.tar.gz`, or `.tgz` as the extension.
   - The package contents should reside in a subfolder inside the tarball (usually it is called `package/`). npm strips one directory layer when installing the package (an equivalent of `tar x --strip-components=1` is run).
   - The package must contain a `package.json` file with `name` and `version` properties.
@@ -115,7 +114,6 @@ Even if you never publish your package, you can still get a lot of benefits of u
   ```
 
   `npm install` saves any specified packages into `dependencies` by default. Additionally, you can control where and how they get saved with some additional flags:
-
   - `-P, --save-prod`: Package will appear in your `dependencies`. This is the default unless `-D` or `-O` are present.
 
   - `-D, --save-dev`: Package will appear in your `devDependencies`.
@@ -125,7 +123,6 @@ Even if you never publish your package, you can still get a lot of benefits of u
   - `--no-save`: Prevents saving to `dependencies`.
 
   When using any of the above options to save dependencies to your package.json, there are two additional, optional flags:
-
   - `-E, --save-exact`: Saved dependencies will be configured with an exact version rather than using npm's default semver range operator.
 
   - `-B, --save-bundle`: Saved dependencies will also be added to your `bundleDependencies` list.
@@ -215,7 +212,6 @@ Even if you never publish your package, you can still get a lot of benefits of u
   If the package being installed contains a `prepare` script, its `dependencies` and `devDependencies` will be installed, and the prepare script will be run, before the package is packaged and installed.
 
   The following git environment variables are recognized by npm and will be added to the environment when running git:
-
   - `GIT_ASKPASS`
   - `GIT_EXEC_PATH`
   - `GIT_PROXY_COMMAND`

@@ -66,7 +66,6 @@ Change your profile information on the registry. Note that this command depends
 - `npm profile set password`: Change your password. This is interactive, you'll be prompted for your current password and a new password. You'll also be prompted for an OTP if you have two-factor authentication enabled.
 
 - `npm profile enable-2fa [auth-and-writes|auth-only]`: Enables two-factor authentication. Defaults to `auth-and-writes` mode. Modes are:
-
   - `auth-only`: Require an OTP when logging in or making changes to your account's authentication. The OTP will be required on both the website and the command line.
   - `auth-and-writes`: Requires an OTP at all the times `auth-only` does, and also requires one when publishing a module, setting the `latest` dist-tag, or changing access via `npm access` and `npm owner`.
 

@@ -117,7 +117,6 @@ npm v7 ignores this section entirely if a `packages` section is present, but doe
 Dependency objects have the following fields:
 
 - version: a specifier that varies depending on the nature of the package, and is usable in fetching a new copy of it.
-
   - bundled dependencies: Regardless of source, this is a version number that is purely for informational purposes.
   - registry sources: This is a version number. (eg, `1.2.3`)
   - git sources: This is a git specifier with resolved committish. (eg, `git+https://example.com/foo/bar#115311855adb0789a0466714ed48a1499ffea97e`)

@@ -1468,12 +1468,10 @@ redirect_from:
 
 - [`ed6e6a9d3`](https://github.com/npm/cli/commit/ed6e6a9d3c36ffc5fb77fc25b6d66dbcb26beeb9) `eslint-plugin-standard@4.0.2`
 - [`b737ee999`](https://github.com/npm/cli/commit/b737ee99961364827bacf210a3e5ca5d2b7edad2) [#2009](https://github.com/npm/cli/issues/2009) [#2007](https://github.com/npm/cli/issues/2007) `npm-packlist@2.1.4`:
-
   - Maintain order in package.json files array globs
   - Strip slashes from package files list results
 
 - [`783965508`](https://github.com/npm/cli/commit/783965508d49f8ab0d8ceff38bee700cd0a06a54) [#1997](https://github.com/npm/cli/issues/1997) [#2000](https://github.com/npm/cli/issues/2000) [#2005](https://github.com/npm/cli/issues/2005) `@npmcli/arborist@1.0.4`
-
   - Ensure that root is added when root.meta is set
   - Include all edges in explain() output when a root edge exists
   - Do not conflict on meta-peers that will not be replaced
@@ -1698,26 +1696,22 @@ redirect_from:
 - [`ac5aa709a`](https://github.com/npm/cli/commit/ac5aa709a8609ec2beb7a8c60b3bde18f882f4e8) [#1758](https://github.com/npm/cli/pull/1758) fix scope config
 - [`a36e2537f`](https://github.com/npm/cli/commit/a36e2537fd4c81df53fb6de01900beb9fa4fa0aa) outdated: don't throw on non-version/tag/range dep
 - [`371f0f062`](https://github.com/npm/cli/commit/371f0f06215ad8caf598c20e3d0d38ff597531e9) `@npmcli/arborist@0.0.20`
-
   - Provide explanation objects for `ERESOLVE` errors
   - Support overriding certain classes of `ERESOLVE` errors with `--force`
   - Detect changes to package.json requiring package-lock dependency flag re-evaluation
 
 - [`2a4e2e9ef`](https://github.com/npm/cli/commit/2a4e2e9efecb7f86147e5071c59cfc2461a5a7f5) [#1761](https://github.com/npm/cli/pull/1761) Explain `ERESOLVE` errors
 - [`8e3e83bd4`](https://github.com/npm/cli/commit/8e3e83bd4f816bfed0efb8266985143ee9b94b86) `@npmcli/arborist@0.0.21`
-
   - Remove bin links on prune
   - Remove unnecessary tree walk for workspace projects
   - Install workspaces on update:true
 
 - [`d6b134fd9`](https://github.com/npm/cli/commit/d6b134fd9005d911343831270615f80dfead7e3d) [#1738](https://github.com/npm/cli/pull/1738) [#1734](https://github.com/npm/cli/pull/1734) fix package spec parsing during cache add process ([@mjeanroy](https://github.com/mjeanroy))
 - [`f105eb833`](https://github.com/npm/cli/commit/f105eb8333fa3300c5b47464b129c1b0057ed7bf) `npm-audit-report@2.1.4`:
-
   - Do not crash on cyclical meta-vulnerability references
 
 - [`03a9f569b`](https://github.com/npm/cli/commit/03a9f569b5121a173f14711980db297d4a04ac6b) `opener@1.5.2`
 - [`5616a23b4`](https://github.com/npm/cli/commit/5616a23b4b868d19aa100a6d86d781cc9bfd94f7) `@npmcli/git@2.0.4`
-
   - Support `.git` files, so that git worktrees are respected
 
 ## v7.0.0-beta.8 (2020-09-01)
@@ -1743,27 +1737,21 @@ redirect_from:
 - [`5cb9a1d4d`](https://github.com/npm/cli/commit/5cb9a1d4d985aaa8e988c51fe5ae7f7ed3602811) [#1688](https://github.com/npm/cli/pull/1688) use `@npmcli/config` for configuration ([@isaacs](https://github.com/isaacs))
 
 - [`a4295f5db`](https://github.com/npm/cli/commit/a4295f5db7667e8cc6b83abdad168619ad31a12f) `npm-registry-fetch@8.1.4`:
-
   - Redact passwords from HTTP logs
 
 - [`a5a6a516d`](https://github.com/npm/cli/commit/a5a6a516d16828c1375eaf41d04468d919df4a57) `json-parse-even-better-errors@2.3.0`:
-
   - Adds support for indentation/newline formatting preservation
 
 - [`a14054558`](https://github.com/npm/cli/commit/a1405455843db1b14938596303b29fb3ad4f90f0) `read-package-json-fast@1.2.1`:
-
   - Adds support for indentation/newline formatting preservation
 
 - [`f8603c8af`](https://github.com/npm/cli/commit/f8603c8affefc342d81c109e4676d498a8359b78) `libnpmversion@1.0.4`:
-
   - Adds support for indentation/newline formatting preservation
 
 - [`9891fa71c`](https://github.com/npm/cli/commit/9891fa71c88f425bef8d881c3795e5823d732e1f) `read-package-json@2.1.2`:
-
   - Adds support for indentation/newline formatting preservation
 
 - [`b44768aac`](https://github.com/npm/cli/commit/b44768aace0e9c938ebd6d05a5de1cc4368e2d7d) [#1662](https://github.com/npm/cli/issues/1662) [#1693](https://github.com/npm/cli/issues/1693) [#1690](https://github.com/npm/cli/issues/1690) `@npmcli/arborist@0.0.17`:
-
   - Load root project `package.json` when running loadVirtual.
   - Fetch metadata from registry when loading tree from outdated package-lock.json file. This avoids a situation where a lockfile or shrinkwrap from npm v5 would result in deleting dependencies on install.
   - Preserve `package.json` and `package-lock.json` formatting in all places where these files are written.

@@ -79,7 +79,6 @@ Even if you never publish your package, you can still get a lot of benefits of u
   Install a package that is sitting on the filesystem. Note: if you just want to link a dev directory into your npm root, you can do this more easily by using [`npm link`](/cli/v8/commands/npm-link).
 
   Tarball requirements:
-
   - The filename _must_ use `.tar`, `.tar.gz`, or `.tgz` as the extension.
   - The package contents should reside in a subfolder inside the tarball (usually it is called `package/`). npm strips one directory layer when installing the package (an equivalent of `tar x --strip-components=1` is run).
   - The package must contain a `package.json` file with `name` and `version` properties.
@@ -113,7 +112,6 @@ Even if you never publish your package, you can still get a lot of benefits of u
   ```
 
   `npm install` saves any specified packages into `dependencies` by default. Additionally, you can control where and how they get saved with some additional flags:
-
   - `-P, --save-prod`: Package will appear in your `dependencies`. This is the default unless `-D` or `-O` are present.
 
   - `-D, --save-dev`: Package will appear in your `devDependencies`.
@@ -123,7 +121,6 @@ Even if you never publish your package, you can still get a lot of benefits of u
   - `--no-save`: Prevents saving to `dependencies`.
 
   When using any of the above options to save dependencies to your package.json, there are two additional, optional flags:
-
   - `-E, --save-exact`: Saved dependencies will be configured with an exact version rather than using npm's default semver range operator.
 
   - `-B, --save-bundle`: Saved dependencies will also be added to your `bundleDependencies` list.
@@ -213,7 +210,6 @@ Even if you never publish your package, you can still get a lot of benefits of u
   If the package being installed contains a `prepare` script, its `dependencies` and `devDependencies` will be installed, and the prepare script will be run, before the package is packaged and installed.
 
   The following git environment variables are recognized by npm and will be added to the environment when running git:
-
   - `GIT_ASKPASS`
   - `GIT_EXEC_PATH`
   - `GIT_PROXY_COMMAND`

@@ -65,7 +65,6 @@ Change your profile information on the registry. Note that this command depends
 - `npm profile set password`: Change your password. This is interactive, you'll be prompted for your current password and a new password. You'll also be prompted for an OTP if you have two-factor authentication enabled.
 
 - `npm profile enable-2fa [auth-and-writes|auth-only]`: Enables two-factor authentication. Defaults to `auth-and-writes` mode. Modes are:
-
   - `auth-only`: Require an OTP when logging in or making changes to your account's authentication. The OTP will be required on both the website and the command line.
   - `auth-and-writes`: Requires an OTP at all the times `auth-only` does, and also requires one when publishing a module, setting the `latest` dist-tag, or changing access via `npm access` and `npm owner`.