GitHub will disable running npm install scripts by default in npm v12 — supply chain protection

Colleagues, an important cybersecurity update: GitHub has announced that npm v12 will disable execution of install scripts by default.
In brief:
- preinstall, install and postinstall from dependencies will no longer run without explicit permission.
- Git dependencies and remote tarball URLs must be enabled via --allow-git and --allow-remote; implicit node-gyp builds are also blocked.
- GitHub recommends upgrading to npm 11.16.0, checking warnings and using npm approve-scripts to approve scripts.
Why it matters: reduces the risk of executing malicious code from transitive packages.
Will you reassess your projects' script permission policies?
#cybersecurity #supplychain #npm #GitHub


Latest comments
No comments yet.