Deno 2.8 ships audit fix, deno ci, deno pack, and drops the npm: prefix

Deno 2.8 lands a batch of new subcommands aimed at making the runtime a more credible drop-in for the npm toolchain. The headline addition for security-conscious users is deno audit fix, which auto-upgrades vulnerable npm dependencies to the nearest patched version that still satisfies existing constraints, separating out anything that would require a major-version bump. A dedicated deno ci command codifies the reproducible-install pattern: it fails if deno.lock is missing, wipes node_modules, and runs a frozen install so CI scripts and Dockerfiles stop juggling flag combinations.

The release also leans hard into publishing and tooling ergonomics. deno pack builds a Deno or JSR project into a deterministic, npm-publishable tarball, rewriting jsr: and npm: specifiers, emitting .d.ts files, and auto-shimming Deno.* APIs for Node consumers. deno bump-version handles single-package and workspace-wide version bumps, optionally driven by Conventional Commits. deno transpile strips types to plain JS without bundling, and deno why traces transitive dependencies across both npm and JSR.

Most consequentially for adoption, Deno 2.8 drops the required npm: prefix from CLI commands — deno add express now just works — and the team claims cold installs are 3.66x faster than 2.7. Combined with deno ci and deno audit fix, the positioning is clear: Deno wants to be the default Node package manager, not just an alternative runtime.