npm 12 Disables Risky Scripts by Default

On June 11, 2026, GitHub announced significant security-focused updates for the upcoming npm version 12, directly targeting the rampant threat of software supply chain attacks by making install scripts opt-in. This decisive move aims to shut down what the company describes as the “single largest code-execution surface in the npm ecosystem.”

Consequently, the default behavior of the “npm install” command will no longer run preinstall, install, or postinstall scripts from any dependencies. This change prevents a single compromised package anywhere in a project’s dependency tree from executing arbitrary code on a developer’s machine or CI runner, according to a detailed post on the GitHub community discussions page.

Meanwhile, the update also blocks the resolution of Git dependencies and remote URL dependencies by default. Developers must now explicitly allow these using new “–allow-git” or “–allow-remote” flags, a measure that closes additional code execution paths that were previously exploitable.

GitHub recommends developers prepare by upgrading to npm 11.16.0 or newer to review warnings and explicitly approve scripts they trust using the new “npm approve-scripts” command. The Microsoft-owned subsidiary stated that after approval, only vetted scripts will run following the upgrade.

These changes follow other recent npm security enhancements, including the “min-release-age” setting introduced earlier in 2026 to reject newly published packages. The shift represents a fundamental change in how the Node.js package manager handles trust and automatic code execution.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

• Bitcoin Holds at $62K Amid Market Crash; Stocks Lose $1.1T
• ARK Sells $7.5M in Robinhood Shares Despite Rally
• Teen steals $13M in crypto via Google scams
• Bankers Could Engineer SpaceX IPO Pop, Says Investor
• CFTC proposes rules for sports prediction markets.