v0.7.4

• Preserve file permissions from tarballs, fixing EACCES for native executables like tsgo
• Run package scripts directly with node so package #imports resolve correctly
• Detect native binaries and execute them directly instead of wrapping in a Node.js loader
• Propagate non-zero exit codes from mix npm.run and mix npm.exec to the shell
• Fix --frozen install rejecting lockfiles with optional dependencies or without a policy section

v0.7.3

• Skip browser field during resolution when its target extension is not in the resolvable set (fixes daisyUI resolving to .css when bundling JS)
• Resolve package subpaths directly when no exports map is present, instead of falling back to root entry

v0.7.2

Fixed

• Fixed extraction of tarballs with a non-package/ root directory, such as DefinitelyTyped @types/* packages, so they install at the expected package root and cache detection works correctly.

v0.7.1

• Skip package versions with blocked transitive exotic dependencies during dependency solving instead of aborting resolution before a safe version can be selected.

v0.7.0

• Reorganize supporting modules under domain namespaces; see CHANGELOG.md for the migration map
• Block transitive exotic dependency specs by default and require allowlisting for direct exotic deps
• Enforce registry origin allowlists and record dependency security policy in npm.lock
• Add package/version age warnings for newly published packages
• Add OSV/OpenSSF malicious-package checks via mix npm.audit --osv and mix npm.audit --compromised
• Add shared compromised-package advisory cache under ~/.npm_ex/security/
• Add HexDocs user guides and cheatsheets

Hex: https://hex.pm/packages/npm/0.7.0

v0.6.1

• Harden tarball extraction against path traversal and absolute-path entries
• Preserve install-script metadata in npm.lock
• Warn when dependencies declare ignored lifecycle scripts
• Document that npm_ex does not run package lifecycle hooks automatically, mitigating install-time credential stealers

v0.6.0

• Move resolution modules under NPM.Resolution: PackageResolver, Exports, and Conditional
• Support nested conditional package exports, array targets, and wildcard export patterns in NPM.Resolution.Exports
• Add package imports resolution for internal specifiers such as #compiler/builders
• Add NPM.Resolution.PackageResolver.nearest_package/1 and NPM.Resolution.PackageResolver.package_root/2
• Harden package resolution for modern packages such as Svelte and @jridgewell/*
• Fix optional tarball linker test isolation

v0.5.3

• Add NPM.PackageResolver.relative_import_path/3 — compute relative import paths between files within a project root, with guaranteed .//../ prefix

v0.5.2

• Add NPM.PackageResolver — Node.js module resolution algorithm (specifier parsing, node_modules traversal, package.json entry points, extension probing)
• Fix ETS race condition in NPM.Resolver cache initialization
• Fix NPM.Cache.ensure/5 spec and docs to include {:ok, :missing_optional} return
• Fix dead code in NPM.PeerDeps version matching (redundant boolean case)
• Fix NPM.FileSize.by_extension/1 dead || branch (Path.extname never returns nil)
• Fix NPM.DepSort.install_order/1 dead {:error, :cycle} branch
• Fix crash in NPM.Linker nested version resolution on unparseable versions
• Replace blanket rescue _ with specific exception types across the codebase
• Flatten nesting in expand_all_optional_deps, solver_dependencies, select_group
• Bump ex_dna ~> 1.1 → ~> 1.3

Release 0.5.1

• Platform-agnostic lockfile: npm.lock now includes all optional platform bindings, not just the current platform
• Only install matching platform bindings into node_modules at link time
• Lockfiles are now portable across OS/arch — same as npm's package-lock.json behavior