diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 5fa54aa8..dbd93a41 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -6,6 +6,7 @@ on:
       - main
 
 permissions:
+  id-token: write
   contents: read
 
 jobs:
@@ -27,8 +28,6 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: lts/*
+          node-version: 24.x
           registry-url: 'https://registry.npmjs.org'
-      - run: npm publish --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+      - run: npm publish --access public --provenance
diff --git a/.npmrc b/.npmrc
new file mode 100644
index 00000000..97b895e2
--- /dev/null
+++ b/.npmrc
@@ -0,0 +1 @@
+ignore-scripts=true
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3f7232aa..81513de6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,19 @@
 # Changelog
 
+## [5.16.0](https://github.com/nodejs/node-core-utils/compare/v5.15.0...v5.16.0) (2025-09-18)
+
+
+### Features
+
+* comment on build and docker-node issue on cleanup ([#973](https://github.com/nodejs/node-core-utils/issues/973)) ([0f925ad](https://github.com/nodejs/node-core-utils/commit/0f925ad49c11d1b4ab334a00e73a3c0bbe2561f1))
+* **deps:** use shrinkwrap instead of package lock ([#976](https://github.com/nodejs/node-core-utils/issues/976)) ([c6ae8a4](https://github.com/nodejs/node-core-utils/commit/c6ae8a4e4b2ed38fc5d0cc72c6c67dae5c5b6e6b))
+
+
+### Bug Fixes
+
+* **deps:** update installation process for local development ([#975](https://github.com/nodejs/node-core-utils/issues/975)) ([440f3f6](https://github.com/nodejs/node-core-utils/commit/440f3f697b15e80ade5bd4398c3b4bd66884e7a9))
+* **ncu-config:** support encrypted config in ncu-config ([#964](https://github.com/nodejs/node-core-utils/issues/964)) ([c6cfc55](https://github.com/nodejs/node-core-utils/commit/c6cfc5526a4cd29af881382b1598c15d3cbbddc3))
+
 ## [5.15.0](https://github.com/nodejs/node-core-utils/compare/v5.14.1...v5.15.0) (2025-08-08)
 
 
diff --git a/README.md b/README.md
index 15f75732..3d0c1619 100644
--- a/README.md
+++ b/README.md
@@ -47,7 +47,7 @@ If you would prefer to build from the source, install and link:
 ```
 git clone git@github.com:nodejs/node-core-utils.git
 cd node-core-utils
-npm install
+npm ci
 npm link
 ```
 
diff --git a/lib/config.js b/lib/config.js
index 241a93e9..a6ecf322 100644
--- a/lib/config.js
+++ b/lib/config.js
@@ -2,7 +2,7 @@ import path from 'node:path';
 import os from 'node:os';
 
 import { readJson, writeJson } from './file.js';
-import { existsSync } from 'node:fs';
+import { existsSync, mkdtempSync, rmSync } from 'node:fs';
 import { spawnSync } from 'node:child_process';
 
 export const GLOBAL_CONFIG = Symbol('globalConfig');
@@ -61,13 +61,31 @@ export function getConfigPath(configType, dir) {
 };
 
 export function writeConfig(configType, obj, dir) {
-  writeJson(getConfigPath(configType, dir), obj);
+  const configPath = getConfigPath(configType, dir);
+  const encryptedConfigPath = configPath + '.gpg';
+  if (existsSync(encryptedConfigPath)) {
+    const tmpDir = mkdtempSync(path.join(os.tmpdir(), 'ncurc-'));
+    const tmpFile = path.join(tmpDir, 'config.json');
+    try {
+      writeJson(tmpFile, obj);
+      const { status } = spawnSync('gpg',
+        ['--default-recipient-self', '--yes', '--encrypt', '--output', encryptedConfigPath, tmpFile]
+      );
+      if (status !== 0) {
+        throw new Error('Failed to encrypt config file: ' + encryptedConfigPath);
+      }
+    } finally {
+      rmSync(tmpDir, { recursive: true, force: true });
+    }
+    return encryptedConfigPath;
+  }
+  writeJson(configPath, obj);
+  return configPath;
 };
 
 export function updateConfig(configType, obj, dir) {
   const config = getConfig(configType, dir);
-  const configPath = getConfigPath(configType, dir);
-  writeJson(configPath, Object.assign(config, obj));
+  writeConfig(configType, Object.assign(config, obj), dir);
 };
 
 export function getHomeDir(home) {
diff --git a/lib/prepare_security.js b/lib/prepare_security.js
index 8c303187..6e355bfa 100644
--- a/lib/prepare_security.js
+++ b/lib/prepare_security.js
@@ -55,6 +55,22 @@ export default class PrepareSecurityRelease extends SecurityRelease {
     // For now, close the ones with Security Release label
     await this.closePRWithLabel('Security Release');
 
+    if (vulnerabilityJSON.buildIssue) {
+      this.cli.info('Commenting on nodejs/build issue');
+      await this.req.commentIssue(
+        vulnerabilityJSON.buildIssue,
+        'Security release is out'
+      );
+    }
+
+    if (vulnerabilityJSON.dockerIssue) {
+      this.cli.info('Commenting on nodejs/docker-node issue');
+      await this.req.commentIssue(
+        vulnerabilityJSON.dockerIssue,
+        'Security release is out'
+      );
+    }
+
     const updateFolder = await this.cli.prompt(
       `Would you like to update the next-security-release folder to ${
         vulnerabilityJSON.releaseDate}?`,
diff --git a/lib/request.js b/lib/request.js
index b379c1f8..289f13fa 100644
--- a/lib/request.js
+++ b/lib/request.js
@@ -81,6 +81,23 @@ export default class Request {
     return this.json(url, options);
   }
 
+  async commentIssue(fullUrl, comment) {
+    const commentUrl = fullUrl.replace('https://github.com/', 'https://api.github.com/repos/') +
+      '/comments';
+    const options = {
+      method: 'POST',
+      headers: {
+        Authorization: `Basic ${this.credentials.github}`,
+        'User-Agent': 'node-core-utils',
+        Accept: 'application/vnd.github+json'
+      },
+      body: JSON.stringify({
+        body: comment,
+      })
+    };
+    return this.json(commentUrl, options);
+  }
+
   async getPullRequest(fullUrl) {
     const prUrl = fullUrl.replace('https://github.com/', 'https://api.github.com/repos/').replace('pull', 'pulls');
     const options = {
diff --git a/package-lock.json b/npm-shrinkwrap.json
similarity index 99%
rename from package-lock.json
rename to npm-shrinkwrap.json
index c705de45..7befd108 100644
--- a/package-lock.json
+++ b/npm-shrinkwrap.json
@@ -1,12 +1,12 @@
 {
   "name": "@node-core/utils",
-  "version": "5.15.0",
+  "version": "5.16.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@node-core/utils",
-      "version": "5.15.0",
+      "version": "5.16.0",
       "license": "MIT",
       "dependencies": {
         "@inquirer/prompts": "^7.4.1",
diff --git a/package.json b/package.json
index ea6af049..e6fef403 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@node-core/utils",
-  "version": "5.15.0",
+  "version": "5.16.0",
   "description": "Utilities for Node.js core collaborators",
   "type": "module",
   "engines": {