In a strategic move to fortify the NPM ecosystem against supply chain threats, GitHub has announced a crucial update to NPM’s behavior. Starting with version 12, releasing in July, NPM will no longer execute scripts from dependencies by default. This change comes in response to a series of security incidents that exploited the automatic script execution feature.
Addressing Recent Security Breaches
Recent months have witnessed significant security breaches, particularly involving the TeamPCP group and the self-replicating Shai-Hulud worm. These attacks leveraged the automatic execution of scripts during npm install to distribute malware widely. The upcoming NPM 12 aims to counter such vulnerabilities by blocking script execution unless explicitly permitted by the user.
GitHub has clarified that scripts, including preinstall, install, and postinstall, will not run automatically unless allowed in the project configuration. This measure extends to native node-gyp builds and prepare scripts from various sources, addressing key vulnerabilities exposed by the Shai-Hulud Miasma attacks.
Implementation and Developer Guidance
To assist developers in adapting to these changes, GitHub recommends using the npm approve-scripts –allow-scripts-pending command. This functionality allows developers to approve trusted packages and compile an allowlist, which is then written to the package.json file. Developers using NPM version 11.16.0 or above will receive warnings if their installations attempt to execute scripts without explicit permission.
Furthermore, Git dependencies will require explicit allowance during npm install, closing potential code-execution paths. This adjustment prevents Git dependencies’ .npmrc files from overriding Git executables, even with the –ignore-scripts flag active.
Future Security Enhancements
Looking forward, NPM version 12 will also address remote URL dependencies. HTTPS tarballs, whether direct or transitive, will not resolve by default. Developers can, however, permit these via the –allow-remote flag, which has been available since version 11.15.0.
GitHub encourages developers to upgrade to NPM 11.16.0 or later. By doing so, they can perform standard installations, review warnings, and use npm approve-scripts to manage script execution effectively. This proactive approach ensures that only approved scripts run, significantly enhancing security upon upgrading.
The changes introduced in NPM 12 are part of GitHub’s continuous efforts to bolster security in software development. By restricting automatic script execution, GitHub aims to mitigate risks and protect developers from emerging supply chain threats.
