NPM 12 makes install scripts, Git, and remote-url dependencies opt-in by default

slymax1 pts0 comments

npm install-time security and GAT bypass2fa deprecation - GitHub Changelog

Try GitHub Copilot CLI

Attend GitHub Universe

Search

Back to changelog

npm v12 is now generally available and tagged latest. This major release turns on the install-time security defaults we announced in June, and it’s also where we begin a deprecation of the most sensitive uses of 2FA-bypass granular access tokens (GATs).

Install-time security defaults are now on

As of npm v12, the following npm install behaviors that used to run automatically are now opt-in:

allowScripts defaults to off: Dependency lifecycle scripts (i.e., preinstall, install, postinstall) and implicit node-gyp builds no longer run unless explicitly allowed.

--allow-git defaults to none: Git dependencies (direct or transitive) are no longer resolved unless explicitly allowed.

--allow-remote defaults to none: Dependencies from remote URLs (e.g., https tarballs) are no longer resolved unless explicitly allowed.

All of these were available behind warnings in npm 11.16.0+, so you can prepare before upgrading. To review and approve the scripts you trust, run npm approve-scripts --allow-scripts-pending, then commit the resulting allowlist in package.json.

For full details, migration steps, and the docs links, see Upcoming breaking changes for npm v12 and share questions in the npm v12 community discussion.

npm 2FA-bypass GAT will stop skipping 2FA for account changes

npm granular access tokens configured to bypass 2FA will be unable to perform sensitive account, package, and organization management actions once the change is rolled out. Operations for account management on npm will not be able skip 2FA anymore.

This affects operations such as:

Creating or deleting tokens

Generating recovery codes and changing your password, email, profile, or 2FA configuration

Changing package access, maintainers, or trusted publishing configuration

Managing organization and team membership as well as their package grants

We expect this change to take effect in early August 2026. To prepare, stop using 2FA-bypass tokens for these operations and perform them interactively with 2FA.

2FA-bypass tokens will no longer publish directly

Following the change above, 2FA-bypass tokens will also lose the ability to publish directly. Their publishing surface will be reduced to reading private packages and staging a publish, where a package only becomes public after a human 2FA approval.

We expect this change to take effect around January 2027. To prepare, plan to move automated publishing to trusted publishing (OIDC) or staged publishing with a human approval step, rather than a long-lived publish token.

More work is landing over the next few months to make migrating to trusted publishing and staged publishing easier. We’ll share migration guides in a follow-up community discussion.

Follow along and ask questions in the community discussion.

Related Posts

Jul.08 Release

Innersource security advisories are generally available

supply chain security

Jun.30 Release

Open source license compliance is in public preview

supply chain security

Jun.30 Improvement

Dependabot no longer infers .npmrc

supply chain security

Jun.30 Improvement

Upcoming cloud data retention policy for closed security alerts

application security<br>supply chain security

...<br>+1

Jun.26 Improvement

Read-only Actions cache for untrusted triggers

actions<br>supply chain security

...<br>+1

Jun.25 Improvement

npm adds preventive account protection for high-impact accounts

supply chain security

Jun.23 Retired

Deprecation of Python 3.9 for Dependabot

supply chain security

Jun.18 Release

Safer pull_request_target defaults for GitHub Actions checkout

actions<br>supply chain security

...<br>+1

Jun.18 Release

Control who and what triggers GitHub Actions workflows

actions<br>supply chain security

...<br>+1

Subscribe to our developer newsletter

Discover tips, technical guides, and best practices in our biweekly newsletter just for devs.

Enter your email*

Subscribe

By submitting, I agree to let GitHub and its affiliates use my information for personalized communications, targeted advertising, and campaign effectiveness. See the GitHub Privacy Statement for more details.

Back to top

&copy; 2026 GitHub, Inc.

Terms

Privacy

Manage Cookies

Do not share my personal information

LinkedIn icon

GitHub on LinkedIn

Instagram icon

GitHub on Instagram

YouTube icon

GitHub on YouTube

X icon

GitHub on X

TikTok icon

GitHub on TikTok

Twitch icon

GitHub on Twitch

GitHub icon

GitHub’s organization on GitHub

github security supply chain actions publishing

Related Articles