npm fails with ECOMPROMISED with Node 24 on Windows #13238
Description
Description
Unable to generate releases using npx semantic-release due to an ECOMRPOMISED error:
Run npx semantic-release
npx semantic-release
shell: C:\Program Files\Git\bin\bash.EXE --noprofile --norc -e -o pipefail {0}
env:
NPM_CONFIG_USERCONFIG: D:\a\_temp\.npmrc
NODE_AUTH_TOKEN: ***
GITHUB_TOKEN: ***
npm warn Unknown user config "always-auth". This will stop working in the next major version of npm.
npm warn exec The following package was not found and will be installed: semantic-release@25.0.1
npm error code ECOMPROMISED
npm error Lock compromised
npm error A complete log of this run can be found in: C:\npm\cache\_logs\2025-10-30T13_48_01_086Z-debug-0.log
Error: Process completed with exit code 1.
The same command works on Ubuntu and on Windows with Node on v22 and npm on 11.6.2
I was unable to reproduce the issue locally with the same versions of npm, node, and semantic release
Platforms affected
- Azure DevOps
- GitHub Actions - Standard Runners
- GitHub Actions - Larger Runners
Runner images affected
- Ubuntu 22.04
- Ubuntu 24.04
- macOS 13
- macOS 13 Arm64
- macOS 14
- macOS 14 Arm64
- macOS 15
- macOS 15 Arm64
- macOS 26 Arm64
- Windows Server 2019
- Windows Server 2022
- Windows Server 2025
Image version and build link
2.328.0
Is it regression?
No
Expected behavior
Should be able to build on Windows using node v24
Actual behavior
Build Fails on Windows with node on v24, but successfully builds on Ubuntu or using node v22
Repro steps
- Create test workflow that runs on a windows runner
- Setup node with
lts/*:
uses: actions/setup-node@v4
with:
node-version: "lts/*" - Run
npx semantic-release