VMTech
+381 11 4150 20024/7 Discuss a project
← All Instagram insights VMTECH · INSTAGRAM

GitHub will disable running npm install scripts by default in npm v12 — supply chain protection

GitHub отключит выполнение npm install-скриптов по умолчанию в npm v12 — защита цепочки поставок

Colleagues, an important cybersecurity update: GitHub has announced that npm v12 will disable execution of install scripts by default.

In brief:
- preinstall, install and postinstall from dependencies will no longer run without explicit permission.
- Git dependencies and remote tarball URLs must be enabled via --allow-git and --allow-remote; implicit node-gyp builds are also blocked.
- GitHub recommends upgrading to npm 11.16.0, checking warnings and using npm approve-scripts to approve scripts.

Why it matters: reduces the risk of executing malicious code from transitive packages.

Will you reassess your projects' script permission policies?

#cybersecurity #supplychain #npm #GitHub

Latest comments

No comments yet.