BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

npm 12 Disables Risky Scripts by Default

npm 12 makes install scripts opt-in to block supply chain attacks in July 2026.

  • GitHub is introducing major security changes to npm version 12, disabling install scripts by default to counter supply chain attacks.
  • The update, scheduled for release in July 2026, blocks automatic code execution via lifecycle hooks during “npm install” commands.
  • Developers must now explicitly approve trusted scripts and dependencies, moving from a default-trust to an opt-in security model.
  • The changes also block dependencies from Git and remote URLs unless specific new flags like “–allow-git” are used.

On June 11, 2026, GitHub announced significant security-focused updates for the upcoming npm version 12, directly targeting the rampant threat of software supply chain attacks by making install scripts opt-in. This decisive move aims to shut down what the company describes as the “single largest code-execution surface in the npm ecosystem.”

- Advertisement -

Consequently, the default behavior of the “npm install” command will no longer run preinstall, install, or postinstall scripts from any dependencies. This change prevents a single compromised package anywhere in a project’s dependency tree from executing arbitrary code on a developer’s machine or CI runner, according to a detailed post on the GitHub community discussions page.

Meanwhile, the update also blocks the resolution of Git dependencies and remote URL dependencies by default. Developers must now explicitly allow these using new “–allow-git” or “–allow-remote” flags, a measure that closes additional code execution paths that were previously exploitable.

GitHub recommends developers prepare by upgrading to npm 11.16.0 or newer to review warnings and explicitly approve scripts they trust using the new “npm approve-scripts” command. The Microsoft-owned subsidiary stated that after approval, only vetted scripts will run following the upgrade.

These changes follow other recent npm security enhancements, including the “min-release-age” setting introduced earlier in 2026 to reject newly published packages. The shift represents a fundamental change in how the Node.js package manager handles trust and automatic code execution.

- Advertisement -

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Robinhood AI sets Guinness World Record

Robinhood set a new Guinness World Record for the most items purchased by an...

CISA Flags Actively Exploited Microsoft SharePoint Flaw

The U.S. CISA has flagged a high-severity Microsoft SharePoint flaw, CVE-2026-45659, as actively exploited,...

2026 Stock Outlook Bullish on Strong Earnings, AI Boom

The S&P 500 is up over 7% through late June 2026, with the second-half...

Robinhood expands to Europe with leveraged futures

Robinhood is expanding its European derivatives, offering perpetual futures on traditional assets like commodities...

Unpatched Argo CD flaw risks full Kubernetes takeover

An unpatched flaw in Argo CD's repo-server component allows for unauthenticated remote code execution...

Must Read

5 Best Hacking eBooks for Beginners

In this article we present the 5 Best Hacking eBooks for beginners as ranked by our editorial teamWelcome to the world of hacking, where...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading