CLI documentation update from CI

Author: npm-cli-bot

cli-cache.json

@@ -1,6 +1,6 @@
 {
   "v8": "aa8fff11cdab94fff1a2160ee5241f5f4632e96b",
   "v9": "64763a341e7aa5b456e696f956759bf9b3440dc1",
-  "v10": "49a764e354ab321da88b499fc4233eee3fa98406",
-  "v11": "21ea382a60b3693ff6c44c81447caa5d0294169c"
+  "v10": "dd3c80e9965d240957684e9951603cf22eaae74c",
+  "v11": "0629fbf736eafcb555428d96bd86a69f8e791d70"
 }

content/cli/v10/commands/npm-ls.mdx

@@ -36,7 +36,7 @@ Note: to get a "bottoms up" view of why a given package is included in the tree
 Positional arguments are `name@version-range` identifiers, which will limit the results to only the paths to the packages named. Note that nested packages will _also_ show the paths to the specified packages. For example, running `npm ls promzard` in npm's source tree will show:
 
 ```bash
-npm@10.9.6 /path/to/npm
+npm@10.9.8 /path/to/npm
 └─┬ init-package-json@0.0.4
   └── promzard@0.1.5
 ```

content/cli/v10/commands/npm.mdx

@@ -23,7 +23,7 @@ Note: This command is unaware of workspaces.
 
 ### Version
 
-10.9.6
+10.9.8
 
 ### Description
 

content/cli/v10/using-npm/changelog.mdx

@@ -9,6 +9,33 @@ redirect_from:
   - /cli/v10/misc/changelog
 ---
 
+### Dependencies
+
+- [workspace](https://github.com/npm/cli/releases/tag/arborist-v8.0.5): `@npmcli/arborist@8.0.5`
+- [workspace](https://github.com/npm/cli/releases/tag/libnpmdiff-v7.0.5): `libnpmdiff@7.0.5`
+- [workspace](https://github.com/npm/cli/releases/tag/libnpmexec-v9.0.5): `libnpmexec@9.0.5`
+- [workspace](https://github.com/npm/cli/releases/tag/libnpmfund-v6.0.5): `libnpmfund@6.0.5`
+- [workspace](https://github.com/npm/cli/releases/tag/libnpmpack-v8.0.5): `libnpmpack@8.0.5`
+
+## [10.9.7](https://github.com/npm/cli/compare/v10.9.6...v10.9.7) (2026-03-18)
+
+### Bug Fixes
+
+- [`bbcd455`](https://github.com/npm/cli/commit/bbcd45502315365286ce8b35a9585c5e4c516e6b) [#9120](https://github.com/npm/cli/pull/9120) arborist: v10 - backport store, lock-only, and override sibling fixes (#9120) (@manzoorwanijk)
+
+### Dependencies
+
+- [`cc9a4de`](https://github.com/npm/cli/commit/cc9a4de0a9552f7942dcaa3d72e7a2c7163e3b31) [#9130](https://github.com/npm/cli/pull/9130) hoist production @sigstore dependencies
+
+### Chores
+
+- [`e5c1309`](https://github.com/npm/cli/commit/e5c1309693f9a94044be87d7642b0327a8f27569) [#9130](https://github.com/npm/cli/pull/9130) dev dependency updates (@wraithgar)
+- [workspace](https://github.com/npm/cli/releases/tag/arborist-v8.0.4): `@npmcli/arborist@8.0.4`
+- [workspace](https://github.com/npm/cli/releases/tag/libnpmdiff-v7.0.4): `libnpmdiff@7.0.4`
+- [workspace](https://github.com/npm/cli/releases/tag/libnpmexec-v9.0.4): `libnpmexec@9.0.4`
+- [workspace](https://github.com/npm/cli/releases/tag/libnpmfund-v6.0.4): `libnpmfund@6.0.4`
+- [workspace](https://github.com/npm/cli/releases/tag/libnpmpack-v8.0.4): `libnpmpack@8.0.4`
+
 ## [10.9.6](https://github.com/npm/cli/compare/v10.9.5...v10.9.6) (2026-03-10)
 
 ### Bug Fixes

content/cli/v11/commands/npm-audit.mdx

@@ -67,6 +67,14 @@ $ npm audit signatures
 
 The `audit signatures` command will also verify the provenance attestations of downloaded packages. Because provenance attestations are such a new feature, security features may be added to (or changed in) the attestation format over time. To ensure that you're always able to verify attestation signatures check that you're running the latest version of the npm CLI. Please note this often means updating npm beyond the version that ships with Node.js.
 
+To include the full sigstore attestation bundles in JSON output, use:
+
+```bash
+$ npm audit signatures --json --include-attestations
+```
+
+This adds a `verified` array to the JSON output containing the attestation bundles (DSSE envelopes, verification material, and transparency log entries) for each verified package.
+
 The npm CLI supports registry signatures and signing keys provided by any registry if the following conventions are followed:
 
 1. Signatures are provided in the package's `packument` in each published version within the `dist` object:
@@ -325,6 +333,13 @@ If true, npm does not run scripts specified in package.json files.
 
 Note that commands explicitly intended to run a particular script, such as `npm start`, `npm stop`, `npm restart`, `npm test`, and `npm run` will still run their intended script if `ignore-scripts` is set, but they will _not_ run any pre- or post-scripts.
 
+#### `include-attestations`
+
+- Default: false
+- Type: Boolean
+
+When used with `npm audit signatures --json`, includes the full sigstore attestation bundles in the JSON output for each verified package. The bundles contain DSSE envelopes, verification material, and transparency log entries.
+
 #### `workspace`
 
 - Default:

content/cli/v11/commands/npm-install-test.mdx

@@ -217,6 +217,8 @@ This flag is a complement to `before`, which accepts an exact date instead of a
 
 This config cannot be used with: `before`
 
+This value is not exported to the environment for child processes.
+
 #### `bin-links`
 
 - Default: true

content/cli/v11/commands/npm-install.mdx

@@ -521,6 +521,8 @@ This flag is a complement to `before`, which accepts an exact date instead of a
 
 This config cannot be used with: `before`
 
+This value is not exported to the environment for child processes.
+
 #### `bin-links`
 
 - Default: true

content/cli/v11/commands/npm-ls.mdx

@@ -52,7 +52,7 @@ Note: to get a "bottoms up" view of why a given package is included in the tree
 Positional arguments are `name@version-range` identifiers, which will limit the results to only the paths to the packages named. Note that nested packages will _also_ show the paths to the specified packages. For example, running `npm ls promzard` in npm's source tree will show:
 
 ```bash
-npm@11.11.1 /path/to/npm
+npm@11.13.0 /path/to/npm
 └─┬ init-package-json@0.0.4
   └── promzard@0.1.5
 ```

content/cli/v11/commands/npm-outdated.mdx

@@ -173,6 +173,8 @@ This flag is a complement to `before`, which accepts an exact date instead of a
 
 This config cannot be used with: `before`
 
+This value is not exported to the environment for child processes.
+
 ### See Also
 
 - [package spec](/cli/v11/using-npm/package-spec)

content/cli/v11/commands/npm-publish.mdx

@@ -83,6 +83,8 @@ A `package` is interpreted the same way as other commands (like `npm install`) a
 - f) a `<name>` that has a "latest" tag satisfying (e)
 - g) a `<git remote url>` that resolves to (a)
 
+If either (a) or (b) is specified as a relative path, it should begin with an explicit `./` prefix.
+
 The publish will fail if the package name and version combination already exists in the specified registry.
 
 Once a package is published with a given name and version, that specific name and version combination can never be used again, even if it is removed with [`npm unpublish`](/cli/v11/commands/npm-unpublish).