Bottom line: npm v12 disables installation scripts of dependencies by default, thereby closing an attack surface for supply-chain attacks.
GitHub blocks a frequently exploited attack vector in npm v12: From July 2026, installation scripts of dependencies will be blocked by default and require explicit approval by the user.
GitHub is changing the default behavior for dependency installation with npm v12: scripts that packages execute during installation will no longer run automatically from July 2026. This particularly affects lifecycle scripts such as install, postinstall and preinstall in the package.json files of dependencies.
For CTOs, this represents a significant risk reduction in supply-chain security. Previously, automatically executed installation scripts allowed attackers to inject arbitrary code during the build process via compromised or maliciously taken over packages. Since this code runs with the privileges of the installing user, access keys, environment variables or source code can be exfiltrated. The new default blocks this vector automatically.
Developers and operations teams will need to explicitly approve installation scripts when needed, for example via command-line flags or configuration files. This promotes more deliberate engagement with trusted dependencies and enables granular control within build processes and CI/CD pipelines.
Source: www.heise.de · Published June 10, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.6.5.