npm version 12 disables install scripts by default and introduces changes to access tokens to mitigate supply chain risks. These modifications require explicit user approval for install scripts and restrict operations for granular access tokens, aiming to enhance security for developers.
GitHub has announced the release of npm version 12, which introduces significant changes aimed at improving security in software supply chains. Notably, install scripts will be disabled by default, requiring developers to explicitly approve their usage.
In npm 12, the default behavior for install scripts, including lifecycle scripts such as preinstall and postinstall, will be set to off. This means that any code executed during the package installation process will not run unless explicitly permitted by the user.
The new release will also restrict the resolution of git dependencies and remote URLs. By default, npm will not resolve dependencies from these sources unless explicitly allowed, enhancing control over package integrity.
In addition to changes regarding install scripts, npm 12 introduces modifications to Granular Access Tokens (GATs). These tokens will no longer permit actions that could compromise account security, including bypassing two-factor authentication for sensitive operations.
GitHub recommends that developers transition to npm version 11.16.0 or later and adjust to these new defaults. They should also prepare for the upcoming stringent measures related to granular access tokens before they take full effect in 2026 and 2027.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
npm version 12 disables install scripts by default and introduces changes to access tokens to mitigate supply chain risks. These modifications require explicit user approval for install scripts and restrict operations for granular access tokens, aiming to enhance security for developers.