GitHub has announced significant changes in the upcoming npm version 12, scheduled for release next month, aimed at enhancing software supply chain security. A key update is the default disabling of install scripts during the ‘npm install’ process.
Install-time lifecycle scripts have been identified as a major vector for code execution within the npm ecosystem. The ‘npm install’ command traditionally executes scripts from all dependencies, including transitive ones, which means a single compromised package can execute arbitrary code on a developer’s machine or continuous integration (CI) runner.
To mitigate this risk, npm version 12 will implement the following changes:
- ‘npm install’ will no longer execute preinstall, install, or postinstall scripts from dependencies unless explicitly permitted in the project.
- ‘npm install’ will not resolve Git dependencies, whether direct or transitive, unless allowed via the ‘–allow-git’ flag.
- ‘npm install’ will not resolve dependencies from remote URLs, such as HTTPS tarballs, unless permitted via the ‘–allow-remote’ flag.
These measures aim to require explicit user approval before any code execution occurs automatically during ‘npm install’, shifting from a default trust model to an explicit consent model. GitHub stated, ‘Making script execution opt-in closes that path while keeping it one command away for the packages you trust.’
Developers are advised to prepare for these changes by upgrading to npm 11.16.0 or newer, running the standard install, and reviewing any warnings displayed. GitHub recommends using ‘npm approve-scripts –allow-scripts-pending’ to identify packages with scripts, approving trusted ones, and committing the updated package.json. This process ensures that only approved scripts will execute upon upgrading to version 12.
Earlier this year, npm introduced the ‘min-release-age’ setting, which rejects package versions published less than a specified number of days ago, serving as a safeguard against newly published malicious packages.
These proactive steps by GitHub reflect a growing emphasis on securing the software supply chain, particularly in light of recent attacks exploiting package managers to distribute malicious code. Developers should stay informed and adapt their workflows to align with these security enhancements.
Source: The Hacker News
