npm 12 Disables Install Scripts by Default to Enhance Security

GitHub has officially released npm version 12, introducing significant security enhancements by disabling install scripts by default. This change aims to mitigate risks associated with software supply chain attacks that exploit npm lifecycle hooks during the installation process.

Previously, the ‘npm install’ command would automatically execute lifecycle scripts such as preinstall, install, and postinstall from all dependencies, including transitive ones. This behavior posed a substantial security risk, as a single compromised package anywhere in the dependency tree could execute arbitrary code on a developer’s machine or continuous integration (CI) runner.

With npm 12, these scripts are no longer executed automatically. Instead, developers must explicitly approve and allow them. To facilitate this, npm provides the ‘npm approve-scripts –allow-scripts-pending’ command, enabling users to review and approve trusted scripts, which are then recorded in the project’s ‘package.json’ file.

In addition to disabling install scripts by default, npm 12 introduces other security-focused changes:

  • Git Dependencies: The ‘–allow-git’ option now defaults to ‘none,’ meaning Git dependencies, whether direct or transitive, are not resolved unless explicitly permitted.
  • Remote URL Dependencies: The ‘–allow-remote’ option also defaults to ‘none,’ preventing the resolution of dependencies from remote URLs, such as HTTPS tarballs, unless explicitly allowed.

These measures are designed to close potential code execution paths that could be exploited by malicious actors, thereby enhancing the overall security of the npm ecosystem.

Furthermore, npm 12 addresses concerns related to granular access tokens (GATs) that bypass two-factor authentication (2FA). The following changes are being implemented:

  • Restricted Actions: GATs configured to bypass 2FA will no longer be able to perform sensitive account, package, and organization management actions. This includes creating or deleting tokens, generating recovery codes, changing account credentials, modifying package access, and managing organization and team memberships.
  • Publishing Limitations: GATs will no longer have the ability to publish packages directly. Their publishing capabilities will be limited to reading private packages and staging a publish, which requires human 2FA approval before the package becomes public.

The restriction on sensitive actions is expected to take effect in early August 2026. Developers are advised to cease using 2FA-bypass tokens for these operations and instead perform them interactively with 2FA. The publishing limitations are scheduled for January 2027. To prepare, developers should plan to transition automated publishing processes to trusted publishing (OIDC) or staged publishing with a human approval step, rather than relying on long-lived publish tokens.

These changes underscore GitHub’s commitment to enhancing the security of the npm ecosystem by reducing the attack surface and requiring explicit user consent for potentially risky operations. Developers are encouraged to adapt their workflows accordingly to align with these new security measures.