npm - Debian Package Tracker

general

source: npm (main)
version: 11.16.0+ds2-3
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Jérémy Lal [DMD]
arch: all
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 7.5.2+ds-2
oldstable: 9.2.0~ds1-1
stable: 9.2.0~ds1-3
testing: 11.16.0+ds2-1
unstable: 11.16.0+ds2-3

versioned links

7.5.2+ds-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.2.0~ds1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.2.0~ds1-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
11.16.0+ds2-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
11.16.0+ds2-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

npm (9 bugs: 0, 7, 2, 0)

action needed

A new upstream version is available: 12.0.0-pre.1 high

A new upstream version 12.0.0-pre.1 is available, you should consider packaging it.

Created: 2026-06-25 Last update: 2026-06-29 19:03

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2026-9496: Versions of the package pacote from 11.2.7 and before 21.5.1 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.

Created: 2026-06-05 Last update: 2026-06-28 07:00

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-9496: Versions of the package pacote from 11.2.7 and before 21.5.1 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.

Created: 2026-06-05 Last update: 2026-06-28 07:00

lintian reports 99 warnings normal

Lintian reports 99 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-06-25 Last update: 2026-06-25 12:47

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2026-9496: (needs triaging) Versions of the package pacote from 11.2.7 and before 21.5.1 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-06-05 Last update: 2026-06-28 07:00

1 low-priority security issue in bookworm low

There is 1 open security issue in bookworm.

1 issue left for the package maintainer to handle:

CVE-2026-9496: (needs triaging) Versions of the package pacote from 11.2.7 and before 21.5.1 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-06-05 Last update: 2026-06-28 07:00

testing migrations

excuses:
- Migration status for npm (11.16.0+ds2-1 to 11.16.0+ds2-3): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Autopkgtest for npm/11.16.0+ds2-3: amd64: Pass, arm64: Pass, i386: Regression ♻ (reference ♻), loong64: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Autopkgtest for pkg-js-tools/0.17.5: s390x: Pass ♻
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/n/npm.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- ∙ ∙ 5 days old (needed 5 days)
- Not considered

news

[rss feed]

[2026-06-24] Accepted npm 11.16.0+ds2-3 (source) into unstable (Xavier Guimard)
[2026-06-22] Accepted npm 11.16.0+ds2-2 (source) into unstable (Xavier Guimard)
[2026-06-07] npm 11.16.0+ds2-1 MIGRATED to testing (Debian testing watch)
[2026-06-01] Accepted npm 11.16.0+ds2-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2026-05-23] npm 11.13.0~ds1-1 MIGRATED to testing (Debian testing watch)
[2026-05-04] Accepted npm 11.13.0~ds1-1 (source) into unstable (Xavier Guimard)
[2026-04-20] npm 11.12.1~ds1-4 MIGRATED to testing (Debian testing watch)
[2026-04-12] Accepted npm 11.12.1~ds1-4 (source) into unstable (Xavier Guimard)
[2026-04-08] Accepted npm 11.12.1~ds1-3 (source) into unstable (Xavier Guimard)
[2026-04-07] Accepted npm 11.12.1~ds1-2 (source) into unstable (Xavier Guimard)
[2026-03-30] Accepted npm 11.12.1~ds1-1 (source) into experimental (Xavier Guimard)
[2026-03-04] npm 9.2.0~ds3-1 MIGRATED to testing (Debian testing watch)
[2026-03-01] Accepted npm 9.2.0~ds3-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2026-01-01] npm 9.2.0~ds2-2 MIGRATED to testing (Debian testing watch)
[2025-12-28] Accepted npm 9.2.0~ds2-2 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2025-12-28] npm 9.2.0~ds2-1 MIGRATED to testing (Debian testing watch)
[2025-12-25] Accepted npm 9.2.0~ds2-1 (source) into unstable (Jérémy Lal)
[2025-12-01] npm 9.2.0~ds1-4 MIGRATED to testing (Debian testing watch)
[2025-11-23] Accepted npm 9.2.0~ds1-4 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2024-05-29] npm 9.2.0~ds1-3 MIGRATED to testing (Debian testing watch)
[2024-05-29] npm 9.2.0~ds1-3 MIGRATED to testing (Debian testing watch)
[2024-05-27] Accepted npm 9.2.0~ds1-3 (source) into unstable (Jérémy Lal)
[2023-11-25] npm 9.2.0~ds1-2 MIGRATED to testing (Debian testing watch)
[2023-11-23] Accepted npm 9.2.0~ds1-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-12-14] npm 9.2.0~ds1-1 MIGRATED to testing (Debian testing watch)
[2022-12-11] Accepted npm 9.2.0~ds1-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-12-08] npm 9.1.3~ds1-1 MIGRATED to testing (Debian testing watch)
[2022-12-02] Accepted npm 9.1.3~ds1-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-12-01] npm 9.1.2~ds1-3 MIGRATED to testing (Debian testing watch)
[2022-11-29] Accepted npm 9.1.2~ds1-3 (source) into unstable (Yadd) (signed by: Xavier Guimard)

bugs [bug history graph]

all: 12
RC: 0
I&N: 10
M&W: 2
F&P: 0
patch: 0

links

homepage
lintian (0, 99)
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 9.2.0~ds3-1