npm - Debian Package Tracker

general

source: npm (main)
version: 11.16.0+ds2-2
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Jérémy Lal [DMD]
arch: all
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 7.5.2+ds-2
oldstable: 9.2.0~ds1-1
stable: 9.2.0~ds1-3
testing: 11.16.0+ds2-1
unstable: 11.16.0+ds2-2

versioned links

7.5.2+ds-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.2.0~ds1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.2.0~ds1-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
11.16.0+ds2-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
11.16.0+ds2-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

npm (9 bugs: 0, 7, 2, 0)

action needed

A new upstream version is available: 12.0.0-pre.1 high

A new upstream version 12.0.0-pre.1 is available, you should consider packaging it.

Created: 2026-06-02 Last update: 2026-06-24 09:50

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2026-9496: Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.

Created: 2026-06-05 Last update: 2026-06-23 04:30

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-9496: Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.

Created: 2026-06-05 Last update: 2026-06-23 04:30

lintian reports 99 warnings normal

Lintian reports 99 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-06-23 Last update: 2026-06-23 11:18

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2026-9496: (needs triaging) Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-06-05 Last update: 2026-06-23 04:30

1 low-priority security issue in bookworm low

There is 1 open security issue in bookworm.

1 issue left for the package maintainer to handle:

CVE-2026-9496: (needs triaging) Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-06-05 Last update: 2026-06-23 04:30

testing migrations

excuses:
- Migration status for npm (11.16.0+ds2-1 to 11.16.0+ds2-2): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Autopkgtest for ipywidgets/8.1.5-7: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for node-addon-api/8.8.0-1: amd64: Pass, arm64: Pass, i386: Pass, loong64: No tests, superficial or marked flaky ♻ (reference ♻), ppc64el: Pass, riscv64: No tests, superficial or marked flaky ♻, s390x: Test triggered
- ∙ ∙ Autopkgtest for node-jasmine/5.11.0+~cs10.12.9-2: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for node-nouislider/15.8.1+ds-2: amd64: No tests, superficial or marked flaky ♻, arm64: No tests, superficial or marked flaky ♻ (reference ♻), i386: No tests, superficial or marked flaky ♻ (reference ♻), loong64: No tests, superficial or marked flaky ♻ (reference ♻), ppc64el: No tests, superficial or marked flaky ♻ (reference ♻), riscv64: No tests, superficial or marked flaky ♻, s390x: Test triggered
- ∙ ∙ Autopkgtest for node-svgdotjs-svg.js/3.2.5+dfsg-3: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for node-tap: s390x: Test triggered
- ∙ ∙ Autopkgtest for node-zx/7.1.1+~cs6.7.23-3: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for npm/11.16.0+ds2-2: amd64: Pass, arm64: Pass, i386: Regression ♻ (reference ♻), loong64: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for npm2deb/0.3.0-14: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for pkg-js-tools/0.17.5: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Too young, only 1 of 5 days old
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/n/npm.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- Not considered

news

[rss feed]

[2026-06-22] Accepted npm 11.16.0+ds2-2 (source) into unstable (Xavier Guimard)
[2026-06-07] npm 11.16.0+ds2-1 MIGRATED to testing (Debian testing watch)
[2026-06-01] Accepted npm 11.16.0+ds2-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2026-05-23] npm 11.13.0~ds1-1 MIGRATED to testing (Debian testing watch)
[2026-05-04] Accepted npm 11.13.0~ds1-1 (source) into unstable (Xavier Guimard)
[2026-04-20] npm 11.12.1~ds1-4 MIGRATED to testing (Debian testing watch)
[2026-04-12] Accepted npm 11.12.1~ds1-4 (source) into unstable (Xavier Guimard)
[2026-04-08] Accepted npm 11.12.1~ds1-3 (source) into unstable (Xavier Guimard)
[2026-04-07] Accepted npm 11.12.1~ds1-2 (source) into unstable (Xavier Guimard)
[2026-03-30] Accepted npm 11.12.1~ds1-1 (source) into experimental (Xavier Guimard)
[2026-03-04] npm 9.2.0~ds3-1 MIGRATED to testing (Debian testing watch)
[2026-03-01] Accepted npm 9.2.0~ds3-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2026-01-01] npm 9.2.0~ds2-2 MIGRATED to testing (Debian testing watch)
[2025-12-28] Accepted npm 9.2.0~ds2-2 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2025-12-28] npm 9.2.0~ds2-1 MIGRATED to testing (Debian testing watch)
[2025-12-25] Accepted npm 9.2.0~ds2-1 (source) into unstable (Jérémy Lal)
[2025-12-01] npm 9.2.0~ds1-4 MIGRATED to testing (Debian testing watch)
[2025-11-23] Accepted npm 9.2.0~ds1-4 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2024-05-29] npm 9.2.0~ds1-3 MIGRATED to testing (Debian testing watch)
[2024-05-29] npm 9.2.0~ds1-3 MIGRATED to testing (Debian testing watch)
[2024-05-27] Accepted npm 9.2.0~ds1-3 (source) into unstable (Jérémy Lal)
[2023-11-25] npm 9.2.0~ds1-2 MIGRATED to testing (Debian testing watch)
[2023-11-23] Accepted npm 9.2.0~ds1-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-12-14] npm 9.2.0~ds1-1 MIGRATED to testing (Debian testing watch)
[2022-12-11] Accepted npm 9.2.0~ds1-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-12-08] npm 9.1.3~ds1-1 MIGRATED to testing (Debian testing watch)
[2022-12-02] Accepted npm 9.1.3~ds1-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-12-01] npm 9.1.2~ds1-3 MIGRATED to testing (Debian testing watch)
[2022-11-29] Accepted npm 9.1.2~ds1-3 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-11-21] npm 9.1.2~ds1-2 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 12
RC: 0
I&N: 10
M&W: 2
F&P: 0
patch: 0

links

homepage
lintian (0, 99)
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 9.2.0~ds3-1