GitHub has rolled out npm version 12, introducing a significant security enhancement by disabling install scripts by default. This change aims to mitigate supply chain threats often associated with automated script execution during package installations.
Key Changes in npm 12
In a bid to bolster security, the new npm version alters several default behaviors that previously permitted automatic script execution. Now, the allowScripts setting is turned off by default, preventing the automatic execution of dependency lifecycle scripts such as preinstall, install, and postinstall. Additionally, npm’s handling of Git and remote URL dependencies has been tightened. The new default settings require explicit user permission for these dependencies to be resolved, making the process opt-in rather than automatic.
To manage and approve scripts deemed trustworthy, users must now execute the command npm approve-scripts –allow-scripts-pending. This creates an allowlist in the package.json file, ensuring that only verified scripts are run.
Impact on Granular Access Tokens and 2FA
Furthermore, npm 12 introduces changes affecting Granular Access Tokens (GATs), especially those used to bypass two-factor authentication. From August 2026, these tokens will lose the ability to perform sensitive actions such as account management and package configuration. GitHub advises developers to avoid using such tokens for critical operations and instead rely on interactive 2FA methods.
By January 2027, GATs will no longer support direct publishing. Instead, they will be limited to reading and staging packages, awaiting human 2FA approval for public release. This shift encourages a move toward more secure publishing practices, such as trusted or staged publishing.
pnpm’s Security Update
In related developments, pnpm version 11.10 now supports a new authentication configuration. The _auth setting allows credentials to be paired with their corresponding host as a single structured value. This change enhances security by ensuring that credentials are only retrieved from secure sources like the environment or global configuration, reducing the risk of token misuse from tampered project files.
The implementation of these security measures underscores the ongoing efforts to fortify software development environments against potential cyber threats. Developers are encouraged to adopt these updates promptly to safeguard their projects and maintain the integrity of the supply chain.
