npm install-time security and GAT bypass2fa deprecation - GitHub Changelog
Try GitHub Copilot CLI
Attend GitHub Universe
Search
Back to changelog
npm v12 is now generally available and tagged latest. This major release turns on the install-time security defaults we announced in June, and it’s also where we begin a deprecation of the most sensitive uses of 2FA-bypass granular access tokens (GATs).
Install-time security defaults are now on
As of npm v12, the following npm install behaviors that used to run automatically are now opt-in:
allowScripts defaults to off: Dependency lifecycle scripts (i.e., preinstall, install, postinstall) and implicit node-gyp builds no longer run unless explicitly allowed.
--allow-git defaults to none: Git dependencies (direct or transitive) are no longer resolved unless explicitly allowed.
--allow-remote defaults to none: Dependencies from remote URLs (e.g., https tarballs) are no longer resolved unless explicitly allowed.
All of these were available behind warnings in npm 11.16.0+, so you can prepare before upgrading. To review and approve the scripts you trust, run npm approve-scripts --allow-scripts-pending, then commit the resulting allowlist in package.json.
For full details, migration steps, and the docs links, see Upcoming breaking changes for npm v12 and share questions in the npm v12 community discussion.
npm 2FA-bypass GAT will stop skipping 2FA for account changes
npm granular access tokens configured to bypass 2FA will be unable to perform sensitive account, package, and organization management actions once the change is rolled out. Operations for account management on npm will not be able skip 2FA anymore.
This affects operations such as:
Creating or deleting tokens
Generating recovery codes and changing your password, email, profile, or 2FA configuration
Changing package access, maintainers, or trusted publishing configuration
Managing organization and team membership as well as their package grants
We expect this change to take effect in early August 2026. To prepare, stop using 2FA-bypass tokens for these operations and perform them interactively with 2FA.
2FA-bypass tokens will no longer publish directly
Following the change above, 2FA-bypass tokens will also lose the ability to publish directly. Their publishing surface will be reduced to reading private packages and staging a publish, where a package only becomes public after a human 2FA approval.
We expect this change to take effect around January 2027. To prepare, plan to move automated publishing to trusted publishing (OIDC) or staged publishing with a human approval step, rather than a long-lived publish token.
More work is landing over the next few months to make migrating to trusted publishing and staged publishing easier. We’ll share migration guides in a follow-up community discussion.
Follow along and ask questions in the community discussion.
Related Posts
Jul.08 Release
Innersource security advisories are generally available
supply chain security
Jun.30 Release
Open source license compliance is in public preview
supply chain security
Jun.30 Improvement
Dependabot no longer infers .npmrc
supply chain security
Jun.30 Improvement
Upcoming cloud data retention policy for closed security alerts
application security<br>supply chain security
...<br>+1
Jun.26 Improvement
Read-only Actions cache for untrusted triggers
actions<br>supply chain security
...<br>+1
Jun.25 Improvement
npm adds preventive account protection for high-impact accounts
supply chain security
Jun.23 Retired
Deprecation of Python 3.9 for Dependabot
supply chain security
Jun.18 Release
Safer pull_request_target defaults for GitHub Actions checkout
actions<br>supply chain security
...<br>+1
Jun.18 Release
Control who and what triggers GitHub Actions workflows
actions<br>supply chain security
...<br>+1
Subscribe to our developer newsletter
Discover tips, technical guides, and best practices in our biweekly newsletter just for devs.
Enter your email*
Subscribe
By submitting, I agree to let GitHub and its affiliates use my information for personalized communications, targeted advertising, and campaign effectiveness. See the GitHub Privacy Statement for more details.
Back to top
© 2026 GitHub, Inc.
Terms
Privacy
Manage Cookies
Do not share my personal information
LinkedIn icon
GitHub on LinkedIn
Instagram icon
GitHub on Instagram
YouTube icon
GitHub on YouTube
X icon
GitHub on X
TikTok icon
GitHub on TikTok
Twitch icon
GitHub on Twitch
GitHub icon
GitHub’s organization on GitHub