In brief: npm 12 blocks automatic execution of installation scripts, Git dependencies, and external URLs by default — future operations will require explicit approval.
GitHub announces stricter default settings for npm version 12 (release July 2026), which will block automatic code execution during npm install. The change aims to prevent supply-chain attacks via pre-installed scripts.
The new default settings in npm 12 affect three key areas: installation scripts (preinstall, install, postinstall) from external dependencies will no longer be executed automatically — including native module builds via node-gyp or scripts from Git directories and local links. Git dependencies will no longer be loaded directly or indirectly from Git repositories by npm install. Packages via external URLs such as HTTPS tarballs will no longer be resolved by default.
Until now, attackers have regularly exploited the automatic mechanism to inject malicious code on developer machines or in build systems during the installation process. According to GitHub, the new settings would have blocked several documented malware campaigns — such as attacks on eslint-config-prettier, Toptal’s Picasso packages, and the Shai-Hulud supply-chain attacks that abused Git dependencies.
For projects with legitimate workflows that rely on the previous automation, blocked functions must be manually reactivated before switching to npm 12. GitHub recommends timely migration to npm 11.16.0 or later, as these versions already issue detailed warning messages when a project uses workflows that will require explicit approval under npm 12.
Source: www.it-daily.net · Published 14 June 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.