← All stories
● Covered by 1 source Β· 1 reportMedium impact

npm 12 Disables Install Scripts by Default to Enhance Security

Aggregated by BrevFeed dev Β· updated 1h ago
πŸ”– Save

npm version 12 disables install scripts by default and introduces changes to access tokens to mitigate supply chain risks. These modifications require explicit user approval for install scripts and restrict operations for granular access tokens, aiming to enhance security for developers.

Key points

Introduction of npm 12

GitHub has announced the release of npm version 12, which introduces significant changes aimed at improving security in software supply chains. Notably, install scripts will be disabled by default, requiring developers to explicitly approve their usage.

Changes to Install Scripts

In npm 12, the default behavior for install scripts, including lifecycle scripts such as preinstall and postinstall, will be set to off. This means that any code executed during the package installation process will not run unless explicitly permitted by the user.

Restrictions on Git and Remote Dependencies

The new release will also restrict the resolution of git dependencies and remote URLs. By default, npm will not resolve dependencies from these sources unless explicitly allowed, enhancing control over package integrity.

Updates to Granular Access Tokens

In addition to changes regarding install scripts, npm 12 introduces modifications to Granular Access Tokens (GATs). These tokens will no longer permit actions that could compromise account security, including bypassing two-factor authentication for sensitive operations.

Recommendations for Developers

GitHub recommends that developers transition to npm version 11.16.0 or later and adjust to these new defaults. They should also prepare for the upcoming stringent measures related to granular access tokens before they take full effect in 2026 and 2027.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Primary sources

CVE CVE-2026-552008.1 HIGH CVE CVE-2026-468179.8 CRITICAL

Reporting from

npm version 12 disables install scripts by default and introduces changes to access tokens to mitigate supply chain risks. These modifications require explicit user approval for install scripts and restrict operations for granular access tokens, aiming to enhance security for developers.