GitHub Turns Off npm V12 Install Scripts by Default for 100s of Billions of Monthly Downloads
Updated
Updated · InfoWorld · Jun 11
GitHub Turns Off npm V12 Install Scripts by Default for 100s of Billions of Monthly Downloads
1 articles · Updated · InfoWorld · Jun 11
Summary
July’s npm v12 release will stop running dependency preinstall, install and postinstall scripts unless projects explicitly allow them, also blocking implicit node-gyp rebuilds and prepare scripts from git, file and link dependencies.
GitHub said the shift was driven by the pace of supply-chain attacks and the need to make the secure path the default, after years in which automatic install-time execution let one compromised package spread quickly.
Security analysts broadly backed the move but said it narrows rather than eliminates risk, with attackers still able to pivot to runtime malware, compromised maintainer accounts, dependency confusion, typo-squatting and poisoned CI workflows.
The change may still be painful because native builds, Electron downloads, Playwright and Cypress installers, and Husky hooks grew around auto-execution, yet supporters said explicit approvals create an auditable control record valuable for regulated firms.
As npm mandates explicit trust, are developers prepared for the new burden of vetting every single package script?
With npm blocking the easiest entry point, what is the next inevitable evolution of software supply chain attacks?
Is the Node.js runtime fundamentally insecure, making npm’s latest security patch only a temporary fix?
npm v12 in July 2026: Mandatory Security Defaults and the Future of JavaScript Package Management
Overview
npm v12, launching in July 2026, marks a major change in how developers use npm by making security the default. It disables automatic execution of risky scripts like preinstall, install, and postinstall, as well as native module builds, to address long-standing supply chain vulnerabilities. Now, developers must give explicit consent before these actions can run, reducing the risk of attacks. This shift aims to strengthen the npm ecosystem’s security and requires developers to review and update their workflows to adapt to the new, safer defaults.