GitHub is set to implement significant security updates in version 12 of npm, aiming to bolster defenses against software supply chain threats. Announced on June 11, 2026, these changes include disabling install scripts by default, a move designed to prevent the automatic execution of potentially harmful code.
New Security Measures in npm
The forthcoming npm changes target attack strategies that exploit the ‘npm install’ command. This command is vital for downloading and installing dependencies for Node.js projects. However, it also presents a vulnerability: it can execute scripts from all transitive dependencies, risking arbitrary code execution if even one package in the chain is compromised. Scheduled for release next month, npm version 12 will address these concerns.
By requiring user consent before any code execution during the install process, GitHub aims to close a significant security loophole. The company stated that making script execution an opt-in process ensures only trusted packages can execute scripts automatically.
Specific Changes and Their Implications
Under the new rules, ‘npm install’ will not execute preinstall, install, or postinstall scripts from dependencies unless explicitly permitted. Additionally, Git dependencies will not be resolved unless the –allow-git flag is used. Similarly, dependencies from remote URLs will require the –allow-remote flag.
This approach also extends to node-gyp builds. Even without an explicit install script, packages with a binding.gyp will face restrictions due to npm’s default behavior of running an implicit node-gyp rebuild.
To prepare for these changes, GitHub advises developers to update to npm 11.16.0 or newer and review the warnings that appear during installations. This proactive preparation will help developers smoothly transition to the new system.
Guidance for Developers
GitHub suggests using the ‘npm approve-scripts –allow-scripts-pending’ command to identify which packages have scripts and to approve those deemed trustworthy. By committing the updated package.json, developers ensure only these approved scripts will run after upgrading to version 12.
Additionally, npm’s earlier introduction of the ‘min-release-age’ setting provides further protection by rejecting any package version published too recently, mitigating the risk from newly released malicious packages.
In conclusion, these updates represent a substantial shift in npm’s security posture, prioritizing developer safety and reducing the risk of supply chain attacks. As software development increasingly relies on open-source components, such proactive measures are critical to maintaining secure digital infrastructures.
