RSS

Upcoming breaking changes for NPM v12

plasma1 pts0 comments

Upcoming breaking changes for npm v12 - GitHub Changelog

Try GitHub Copilot CLI

Attend GitHub Universe

Search

Back to changelog

Our next npm major version, v12, introduces security-related default changes to npm install. All these changes are available behind warnings in npm today on 11.16.0 or newer, so you can prepare before the upgrade. v12 is estimated to release in July 2026.

Each change turns an npm install behavior that runs automatically today into one you explicitly opt into:

allowScripts defaults to off: npm install will no longer execute preinstall, install, or postinstall scripts from dependencies unless they are explicitly allowed in your project. This includes native node-gyp builds (i.e., a package with a binding.gyp and no explicit install script still gets blocked, because npm runs an implicit node-gyp rebuild for it). prepare scripts from git, file, and link dependencies are blocked the same way. To see what would be blocked, run npm approve-scripts --allow-scripts-pending. Then allow the packages you trust with npm approve-scripts and block the rest with npm deny-scripts. The resulting allowlist is written to package.json and should be committed. If your install routine runs scripts, you can observe warnings in npm 11.16.0+.

--allow-git defaults to none: npm install will no longer resolve Git dependencies (direct or transitive) unless explicitly allowed via --allow-git. This closes a code-execution path where a Git dependency’s .npmrc could override the Git executable, even with --ignore-scripts. This change was previously announced on 2026-02-18 and is available in npm 11.10.0+.

--allow-remote defaults to none: npm install will no longer resolve dependencies from remote URLs, such as https tarballs (direct or transitive), unless explicitly allowed via --allow-remote. This flag is available in npm 11.15.0+. The related --allow-file and --allow-directory flags are not changing their defaults in v12.

How to prepare

Upgrade to npm 11.16.0 or later, run your normal install, and review the warnings. Use npm approve-scripts --allow-scripts-pending to see which packages have scripts, approve the ones you trust, and commit the updated package.json. After that, only the scripts you approved keep running once you upgrade. Anything you leave unapproved will stop. More details are available in our docs at npm approve-scripts, npm deny-scripts, and allow-scripts config (for npx and global installs). Please share your comments and questions in our community discussion.

Related Posts

May.26 Release

Dependabot version updates now support the sbt ecosystem

supply chain security

May.22 Release

Staged publishing and new install-time controls for npm

supply chain security

May.19 Retired

Upcoming deprecation of Python 3.9 for Dependabot

supply chain security

May.19 Improvement

Expanded OIDC support for Dependabot and code scanning

application security<br>supply chain security

...<br>+1

May.19 Improvement

Start a GitHub Advanced Security trial from a risk assessment

application security<br>supply chain security

...<br>+1

May.12 Retired

Synchronous SBOM API deprecated

supply chain security

May.11 Improvement

Cross-org Dependabot access for internal repositories

supply chain security

May.06 Release

Search and filter bar for repository security advisories

supply chain security

May.05 Release

Dependency scanning with GitHub MCP Server is in public preview

supply chain security

Subscribe to our developer newsletter

Discover tips, technical guides, and best practices in our biweekly newsletter just for devs.

Enter your email*

Subscribe

By submitting, I agree to let GitHub and its affiliates use my information for personalized communications, targeted advertising, and campaign effectiveness. See the GitHub Privacy Statement for more details.

Back to top

&copy; 2026 GitHub, Inc.

Terms

Privacy

Manage Cookies

Do not share my personal information

LinkedIn icon

GitHub on LinkedIn

Instagram icon

GitHub on Instagram

YouTube icon

GitHub on YouTube

X icon

GitHub on X

TikTok icon

GitHub on TikTok

Twitch icon

GitHub on Twitch

GitHub icon

GitHub’s organization on GitHub

github scripts security install allow supply

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.