GitHub has announced a significant security update for the Node Package Manager (npm), aiming to mitigate software supply chain attacks. The forthcoming npm version 12, slated for release in July 2026, will disable the automatic execution of installation scripts by default—a common vector for malicious code injection.
In this update, the new allowScripts configuration will default to ‘off’. Consequently, commands like npm install will no longer automatically run preinstall, install, or postinstall scripts from dependencies unless developers explicitly approve them. Historically, these scripts have been exploited by attackers to execute arbitrary code during package installations.
The restriction also applies to implicit behaviors, such as node-gyp rebuild, which is automatically triggered for native modules containing a Gyp file. Additionally, prepare scripts from Git, local files, and linked dependencies will be blocked unless explicitly permitted.
Developers can preview which scripts would be blocked using the command:
npm approve-scripts --allow-scripts-pendingTrusted packages can be allowlisted using npm approve-scripts, while untrusted ones can be blocked via npm deny-scripts. The approved script list is stored in the package.json file and should be committed to version control.
Furthermore, npm v12 introduces stricter controls on external dependency sources:
--allow-gitwill default to ‘none’, preventing npm from resolving Git-based dependencies unless explicitly enabled.--allow-remotewill also default to ‘none’, blocking the installation of packages from remote URLs such as HTTPS tarballs.
These changes address critical attack vectors where malicious packages could exploit Git dependencies. Notably, attackers have previously abused .npmrc configurations in Git repositories to override system binaries, even when script execution was disabled via --ignore-scripts.
To assist developers in transitioning, these changes are partially implemented in npm versions 11.10.0 through 11.16.0, accompanied by warning mechanisms. GitHub recommends upgrading to npm 11.16.0 or later to identify potential disruptions in existing workflows. By running a standard install process, developers can observe warnings about blocked behaviors and begin adapting to the new opt-in model.
This shift reflects a broader industry effort to secure the open-source software supply chain, which has been increasingly targeted through typosquatting, dependency confusion, and malicious package updates. By requiring explicit trust declarations for script execution and external sources, npm v12 introduces a zero-trust-like model for dependency installation, reducing the risk of silent compromises during routine development operations.
For organizations heavily reliant on third-party packages, these changes will necessitate adjustments to CI/CD pipelines and dependency management practices. However, the trade-off is a more secure and transparent software development process that aligns with modern secure-by-default principles.
GitHub’s proactive measures in enhancing npm’s security underscore the critical importance of safeguarding the software supply chain. Developers should stay informed and adapt their workflows to align with these new security standards, ensuring a more resilient development ecosystem.
Source: CyberSecurityNews
