- GitHub released npm version 12 with install scripts disabled by default, making previously automatic behaviors like dependency lifecycle scripts opt-in.
- Granular Access Tokens (GATs) designed to bypass two-factor authentication (2FA) are being deprecated, with phased restrictions starting in August 2026 and full publishing limits by January 2027.
- The concurrent pnpm 11.10 release introduces a new registry authentication setting that prevents project files from redirecting credentials to malicious hosts.
GitHub has officially announced the release of npm version 12 with install scripts disabled by default, while also deprecating granular access tokens (GATs) that bypass two-factor authentication (2FA). The Microsoft-owned subsidiary confirmed that three previously automatic npm install behaviors are now opt-in: dependency lifecycle scripts, Git dependencies, and remote URL dependencies.
Users must now run “npm approve-scripts” and commit a resulting allowlist in their package.json file to review and approve trusted scripts. These changes were previewed last month, with GitHub recommending developers upgrade to npm 11.16.0 or newer to review warnings.
The latest npm release also introduces two phased security changes for GATs. By early August 2026, tokens configured to bypass 2FA will lose the ability to perform sensitive account, package, and organization management actions. In January 2027, these tokens will no longer retain publishing capabilities, limiting their surface to reading private packages and staging a publish requiring human 2FA approval.
GitHub advised moving automated publishing to trusted publishing (OIDC) or staged publishing with a human approval step instead of using long-lived publish tokens. “To prepare, plan to move automated publishing to trusted publishing (OIDC) or staged publishing with a human approval step, rather than a long-lived publish token,” the company stated.
Meanwhile, pnpm 11.10 introduces a new “_auth” setting for configuring registry authentication as a single, URL-keyed value. Socket explained that the credential and its host travel together, with pnpm reading _auth only from the environment or global config. “A tampered project file is a common way attackers get a foothold, and redirecting a registry token is a direct route to stealing it, so closing that path removes exposure,” the firm noted.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
