GitHub has announced significant changes in the upcoming npm version 12, scheduled for release next month, aimed at enhancing security within the Node.js ecosystem. A key modification is the disabling of install scripts by default, a move designed to mitigate risks associated with software supply chain attacks.
Traditionally, the ‘npm install’ command automatically executes lifecycle scripts such as preinstall, install, and postinstall from all dependencies, including transitive ones. This behavior has been identified as a substantial security vulnerability, as a single compromised package anywhere in the dependency tree can execute arbitrary code on a developer’s machine or within a continuous integration (CI) environment.
To address this issue, npm version 12 will implement the following changes:
- The ‘npm install’ command will no longer execute preinstall, install, or postinstall scripts from dependencies unless they are explicitly permitted within the project.
- Resolution of Git dependencies, whether direct or transitive, will be disabled by default. Developers will need to use the ‘–allow-git’ flag to enable this functionality.
- Dependencies from remote URLs, such as tarballs, will not be resolved unless explicitly allowed via the ‘–allow-remote’ flag.
These adjustments aim to require explicit user approval before any code execution occurs during the ‘npm install’ process, thereby reducing the default trust placed in external packages. By making script execution opt-in, GitHub intends to close potential attack vectors while still allowing developers to run trusted scripts with minimal effort.
To prepare for these changes, GitHub recommends that developers upgrade to npm version 11.16.0 or newer. After upgrading, running the standard install command will display warnings for packages containing scripts. Developers can review these warnings and use the ‘npm approve-scripts –allow-scripts-pending’ command to approve trusted packages. Committing the updated ‘package.json’ file will ensure that only approved scripts continue to run upon upgrading to version 12, while unapproved scripts will be blocked.
In addition to these changes, npm has introduced the ‘min-release-age’ setting earlier this year. This feature allows developers to reject package versions published less than a specified number of days ago, serving as a safeguard against newly published malicious packages.
These proactive measures by GitHub reflect a growing emphasis on securing the software supply chain, particularly in light of recent incidents where compromised packages have been used to execute malicious code. By requiring explicit approval for script execution and dependency resolution, npm version 12 aims to provide developers with greater control and security over their projects.
As the release of npm version 12 approaches, developers should familiarize themselves with these changes and adjust their workflows accordingly to maintain the security and integrity of their applications.
