GitHub said npm version 12 will turn off install scripts by default next month, a change aimed at reducing software supply chain risk by blocking automatic code execution during npm’s upcoming release.
KEY FACTS
- Install scripts preinstall, install and postinstall hooks from dependencies will be blocked unless explicitly allowed.
- Git and remote sources dependencies from Git URLs and remote tarballs will also require explicit permission.
- Timeline npm version 12 is scheduled for release next month.
- Preparation developers are being told to upgrade to npm 11.16.0 or newer and review warnings during a normal install.
The disclosure says install-time lifecycle scripts are the single largest code-execution surface in the npm ecosystem because the install process can run scripts from transitive dependencies. A single compromised package anywhere in a dependency tree could execute arbitrary code on a developer machine or CI runner.
Under the new default behavior, npm install will not run dependency scripts unless they are approved in the project. GitHub also said Git dependencies and remote URLs will not resolve unless users pass --allow-git or --allow-remote, and that the same restrictions apply to implicit node-gyp rebuilds and prepare scripts from git, file and link dependencies.
GitHub said the default --allow-git setting closes a code execution path tied to a Git dependency’s .npmrc file, which could override the Git executable even when --ignore-scripts is used. The company also advised developers to run npm 11.16.0 or newer, review the warnings shown during installation and approve trusted packages with npm approve-scripts --allow-scripts-pending.
Earlier this year, npm added min-release-age, a setting that rejects package versions published too recently to help limit exposure to newly uploaded malicious packages.
WHY IT MATTERS
The change is meant to make package installation safer by requiring explicit approval before code runs automatically. It may also require developers and CI operators to review and adjust build workflows before moving to npm 12.